Business Logic Vulnerability via IDOR

  • I did report a Stored XSS, but they said they had already identified it in their recent pentest and is already in line for a fix.
  • So I started testing the cart checkout option, hoping for some Parameter tampering bugs. But couldn’t find any.
  • It was then I noticed the <PID> parameter, which is the Product ID in the request body.
  • I tried to various ways to manipulate the amount parameter. But the server side validation made it impossible to bypass.
  • The amount parameter was not vulnerable, but what about the PID?

The Important Stuff

  1. Add a low priced Product A to the cart. (In the actual PoC, I added a product which was around $10)
  2. Get the PID of any other Product B. (I chose a product which costs $400)

(Do remember that the amount parameter is still $10)

Voilà , Now we have technically bought a $400 product for $10.

  • They offered me a $2000 coupon as bounty which can be redeemed only for purchases made within that website.
  • And it’s US shipment only. No International Shipments :-/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |