How can I buy any product and pay only $1 — Client-Side Injection
Hi, I am Kurt Russelle Marmol doing bug hunting for more than a year, and this is my first bug bounty write-up about my findings.
Vulnerability :
- Client-Side Injection
- API Implementation
Description:
Story:
These programs are shopping websites and private programs therefore they don’t want them to mention their name and I would use redacted.com as for example
As a user you need to create an account and choose some product, then fill up the shipping address
The bug is in the section of payment to pay your order.
After that, the website was redirected to api.redacted.com which contain key and its value
{
“method”: “*****,
“email”: “****@gmail.com”,
“description”: “******”,
“amount”: “146.08”
}
I try to change the key value of the amount of $146.08 to $1.08 and the response HTTP 201 Created, which means success status response code indicates that the request has succeeded and has led to the creation of a resource.
the bug here, is the checkout page does allow the amount to be changed
and I reload the page, this is what happened the API containing the amount of price has been changed to $1.08
Impact:
The bug can be performed by any user by changing the original price and paying it at a lower price. I’ll try to $0 amount but didn’t work at least $1 up, so if your order total amount of $120 you can change it to $1 and Pay.
Timeline:
Dec 13, 2021 — Bug submitted
Dec 15, 2021 — Bug review and eligible for bounty reward
Dec 22, 2021 — Private Program replied, bug fixed since Dec 16, 2021
shout out sa PlagueSec, KumaTech Developers at sa lahat ng tropa HAHAHA
