E-commerce stores can lose out on a lot of revenue if price manipulation vulnerabilities get actively exploited by bad actors.
These are often security vulnerabilities caused by improper logic handling by developers causing the server to miscalculate prices (formula injection) at checkout and often allowing malicious shoppers to order items at a highly reduced price, or in severe cases even entirely for free!
Let’s dive into the 5 most common price manipulation vulnerabilities and how to exploit them!
Price Manipulation Vulnerabilities:
Imagine this…
Your laptop’ screen suddenly turns off… And you don’t know why but when you try to turn your PC back on, you notice that the screen doesn’t work anymore!
So… this means no more bug bounty for the rest of the week? Of course not!
As you have already had some experience repairing some basic parts in a PC before, you decided to take the matter into your own hands!
A couple of moments later, you found the same screen on example[.]com for only $200.
The site looks a bit outdated and shady, but you realize that you received a private invite from that same company a few weeks ago!
Sweet! Maybe you can get the price of the screen back if you report a couple of vulnerabilities?!
And you did do so by discovering a way to order products for free!
Actually, you found multiple ways to order free products…
Being able to change the price of any product is a perfect example of a price manipulation vulnerability!
Let’s dive into all of these!
1) Formula Injection: Price Tampering
The first method that allowed you to order your new screen for only $0.01 was through parameter tampering!
Let’s see how that works
You saw that the POST body contained an “amount” parameter when you clicked on the checkout page
And you changed “200” to “0.01”
You ordered the screen and saw that you only got charged $0.01
2) Formula Injection: Quantity Tampering
After you’ve found the first vulnerability, you thought to yourself that this place is full of other similar vulnerabilities!
And you were right! Let’s check it out
Negative Quantity:
So this time, you decided to set the quantity of one of your items to a negative digit
And guess what happened at the backend…
The price of the first 2 items got added up meanwhile the amount of the second 2 items got deducted!
Decimal Quantity:
Shortly after you found the second vulnerability
You decided to give the web shop another shot.
This time, you set the quantity to a decimal number
Guess what…The backend just multiplied the quantity again without validation!
3) Integer Overflow
After submitting the first 3 vulnerabilities
You decided to bypass the checks that are put in place
You tried to set the quantity again to a negative number…but that didn’t seem to work anymore
So this time, you tried integer overflow
You’ve set the quantity to a very big number that the backend just can’t handle because the price is stored in a 64-bit integer (often typed as int64) and if it doesn’t validate this case…
It will get reset to a negative number or even get set back to 0 (depending on the underlying code and libraries used)!
4) Coupons:
After reporting all the previous vulnerabilities
You thought that this was enough and right before you left a thought struck your head!
You remembered the last Intigriti bug bounty tip and gave it a shot!
The checkout page also accepts coupons
You went on their social media and started looking for previous coupons!
Unfortunately, you only found 1 that gave you 10% off that is still valid… Not vulnerable
But you decided not to give up and to look at the Wayback Machine…You found 5 other different coupons that should’ve expired by now… or are they?
On top of that the web shop allows you to redeem multiple vouchers
And at the checkout you find yourself only paying $50 instead of the whole $200
5) Currency Confusion
You wanted to try to bypass the payment once more as you noticed a new body parameter “currency” during retesting.
This time, you tried everything and right before you wanted to quit, another thought struck your head
What if I leave the price untouched but instead change the currency from “USD” to “INR”?
200 INR is equal to ~2.5 USD
These were the top 5 most common price manipulation vulnerabilities present in e-commerce websites! We hope you’ve learned something new from this post!
Looking to hunt on e-commerce websites? Browse through our 70+ public bug bounty programs on Intigriti and who knows, maybe you’ll earn a bounty with us today!