How’s it going everyone! My name is Sagar Sajeev. I had found an interesting Business Logic Flaw and wanted to share it with you guys.

How did I find it?

  1. This Particular target E-Commerce website offers 15% instant discount for purchases which span a total of $400 or above (T&C’s apply).
  2. I added some products to the cart so as to reach the $400 threshold cart value.
  3. The 15% discount coupon was added automatically.
  4. At the last checkout page, they’ll show you all the items that have been added. Well, they had an option to remove any item from the cart.
  5. I removed a bunch of items and bought down the cart value to around $120.
  6. To my surprise, the coupon was still valid and I was offered 15% instant discount even though the cart value was less than $400.
  7. I made the purchase for $120 and as per the invoice the discount was indeed applied.
  8. Reported this vuln to the Security department of the E-Commerce site and it was rated as a high severity bug.

(P.S — I did ask them whether I could make a writeup on this. They said it was fine, but they specifically asked me not to mention their Website name anywhere. That’s why I didn’t include any target name in this writeup.)

  • I was awarded $400 as bounty and an additional $200 coupon which can be redeemed for any purchases made only in this particular E-Commerce website.
  • The Sec team was super helpful. They responded, resolved and rewarded the bounty, all within 24hrs.

Submitted : 28–07–2022

Accepted : 28–07–2022

Resolved : 29–07–2022

Bounty Awarded : 29–07–2022

I hope y’all would have learned something new today. I’ve made two other writeups. Please do check them out as well.

I do share tips about Bug Bounties and related stuff every now and then over at my Twitter and LinkedIn handle. So do follow me there.

If you’ve got any queries, feel free to message me. I will be more than happy to help.

Happy Hacking!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |