Shopping Products For Free- Parameter Tampering Vulnerability
Let’s bargain online from an e-commerce website.
I received a hacking invite from a very popular e-commerce website. I have been ordering from that website for a very long time. So I started testing and specifically company wanted bugs which affect their business in the first place. So first thing came in my mind, was obviously parameter tampering.
Summary
The Parameter tampering attack relies on the manipulation of parameters changed by the user so as to change application information like user credentials and permissions and amount of product, etc. Usually, this data is passed in post request or in hidden kind fields.
We will be looking into price manipulation vulnerability that is almost present in every online shopping carts and payment gateways these days.
For obvious reasons, we will assume the website as redacted.com. Main issue in this website was that they kept upper bound of product not more than 10 quantity at a time but for lower bound they forgot to put constraints. So anyone can reduce the cart value to negative and it was multiplied with product price thus adding negative quantity and price in the cart.
Impact
Due to a business logic error, I was able to tamper the cart value and add the negative quantity of product which reflects during checkout and order the product at a lesser price as there is a constraint on minimum cart value.
Steps to reproduce:
- Visit redacted.com and open the product you don’t want to buy and add it in the cart like I added t-shirts and intercepted the request then changed the quantity to -10.
Value: -10 * 599 ₹ = -5990 ₹ /-
- Then to balance the cart, again I added 7 shoes.
Value: 7*399 ₹ =2793 ₹ /-
- Still, the cart needs to have some positive value so that it is displayed on the UI.
- Again I added 8 more quantity of denims.
Value: 8*399 ₹ = 3192 ₹ /-
- As I was randomly adding to balance and tried buying with the total cost of -5 ₹. But it showed me an error.
Value: -5990 ₹ +2793 ₹ + 3192 ₹ = -5 ₹
Because minimum cart value was 350 ₹, to proceed further and checkout.
Then again I added 1 more shirt of 599 ₹ so that it can add up to more than 350 ₹.
- Total cost became 594 ₹ with GST, it came around 923 ₹.
- So I had 7 shoes, 8 shorts and 1 small shirt in my cart which I can buy.
- I proceeded further to select the address and reached to the payment method and paid via card.
- The order was successful.
- Then I reported the critical bug along with video POC and got the bounty.
Remediation:
- Don’t rely on controls which depend on the browser — don’t depend on client-side validation and storing in the browser.
- When the product is added in the cart calculate md5 sum or any hash for the total request and compare with the backend so that if any manipulation happened in the request for any value it is different from server’s hash.
- Validate input for improper characters and data types. Specifically for this case, we can keep a check for quantity with negative range. Keeping range from 1–10 since the max value is defined we can define minimum value. Always define the maximum as well as minimum value that the application will accept.
Reference:
https://www.owasp.org/index.php/Web_Parameter_Tampering
https://www.cgisecurity.com/owasp/html/ch11s04.html
https://hackerone.com/reports/403783
https://medium.com/@chawdamrunal/what-is-parameter-tampering-5b1beb12c5ba
https://yassineaboukir.com/blog/price-manipulation-vulnerability-in-e-commerce-platforms
