How’s it going everyone! My name is Sagar Sajeev. I had found an interesting Business Logic Flaw and wanted to share it with you guys.
According to OWASP , Business Logic Vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
How did I find it?
- This Particular target E-Commerce website offers 15% instant discount for purchases which span a total of $400 or above (T&C’s apply).
- I added some products to the cart so as to reach the $400 threshold cart value.
- The 15% discount coupon was added automatically.
- At the last checkout page, they’ll show you all the items that have been added. Well, they had an option to remove any item from the cart.
- I removed a bunch of items and bought down the cart value to around $120.
- To my surprise, the coupon was still valid and I was offered 15% instant discount even though the cart value was less than $400.
- I made the purchase for $120 and as per the invoice the discount was indeed applied.
- Reported this vuln to the Security department of the E-Commerce site and it was rated as a high severity bug.
(P.S — I did ask them whether I could make a writeup on this. They said it was fine, but they specifically asked me not to mention their Website name anywhere. That’s why I didn’t include any target name in this writeup.)
- I was awarded $400 as bounty and an additional $200 coupon which can be redeemed for any purchases made only in this particular E-Commerce website.
- The Sec team was super helpful. They responded, resolved and rewarded the bounty, all within 24hrs.
Tip — Most of the time Logic vulns will be unique in its own way. So perhaps the best approach would be trying out stuff which can break the application logic. If some application function seems obvious to you, try thinking what/how it can be exploited by a malicious user.
Submitted : 28–07–2022
Accepted : 28–07–2022
Resolved : 29–07–2022
Bounty Awarded : 29–07–2022
I hope y’all would have learned something new today. I’ve made two other writeups. Please do check them out as well.
I do share tips about Bug Bounties and related stuff every now and then over at my Twitter and LinkedIn handle. So do follow me there.
- LinkedIn : https://www.linkedin.com/in/sagar-sajeev-663491208/
- Twitter : https://twitter.com/Sagar__Sajeev
If you’ve got any queries, feel free to message me. I will be more than happy to help.