Price control bugs on modern shopping websites


We are buying a Gaming PC with just a dollar. 


Who the hell sell gaming PCs at a dollar???

No one is that stupid to sell it at a dollar. But I found one indirectly stupid shopping site. What? Indirectly stupid?


Today we will be doing security review on a shopping website. OR we are hacking a shopping website ;) . This sounds more cool.

OK, Let me explain you the how and whys.


Is it a real currently running website?

Yes, of course. But I can't show you the website due to some policy.

Is the website still vulnerable?

Yes, And that's why I can't show you the site. But I reported the company.

Few days back I was searching for some pre-built gaming PCs. And as I was scrolling through a website I take a look at the http parameters of the website. There I saw a parameter called "member_password" in the cookie header. And it's value was our account's password, I was quit socked. It was quite stupid because the password was in plain text. 

But, It's our password. It's nothing interesting. So, I continued to scan through the HTTP requests for a while and played with the parameters. Then, after about 30 minutes...

Tool used: Burp suite.




The above are the parameter in interest. The "monitor=19" defines the monitor type and "monitorqty= -4" was the number of monitor we are buying. 


Did you notice something wrong?

Yes, "4" was the original value of the "monitorqty" but when I changed it to "-4"...

The price of the monitor was subtracted from the total PC price [total PC price + (-4 * monitor price) = our manipulated price].




And after some math and magic...



The unit price was totally in our control.


Then I proceed to payment to see if the price was really manipulated.


And BOOM!!

The final price is our manipulated price. 


This was not the only vulnerability on the website. There were several insecure parameters that could lead to price control bugs and some stored XSS were also found.


Price control bugs are very rare nowadays, but I think I was quite lucky. 

Let's end here as this is a #short-post series.

Previous Post Next Post