Found a simple “Price Parameter Tampering” on IT Bootcamp (Indonesia)
Hello, here I just want to give a little story about the finding of the bug “Price Parameter Tampering” on one of the IT Bootcamp websites in Indonesia.
Summary
The Parameter tampering attack relies on the manipulation of parameters changed by the user so as to change application information like user credentials and permissions and amount of product, etc. Usually, this data is passed in post request or in hidden kind fields.
Impact
Due to a business logic error, I was able to change the starting price from 9 million to 9 thousand,
Rp. 9,000,000.00 to Rp. 9,000
Steps to Reproduce
- Collect all purchases and put them in the shopping cart.
2. I capture data using Burpsuite.
3. Then I will change the price to (7500) & (1750).
4. And now the price is going to be cheaper than it should be!
This payment will continue until the “OVO” payment application.
Remediation
- Don’t rely on controls which depend on the browser — don’t depend on client-side validation and storing in the browser.
- When the product is added in the cart calculate md5 sum or any hash for the total request and compare with the backend so that if any manipulation happened in the request for any value it is different from server’s hash.
- Validate input for improper characters and data types. Specifically for this case, we can keep a check for quantity with negative range. Keeping range from 1–10 since the max value is defined we can define minimum value. Always define the maximum as well as minimum value that the application will accept.
Timeline
> 25 Oct 2020 : Report.
> 16 Nov 2020 : They informed me that the bug was fixed.
Reference
I hope you enjoyed this writeup!!!
Follow me
Linkedin : https://www.linkedin.com/in/c3van/
