Business Logic Vulnerability via IDOR

How’s it going everyone. I’m Sagar Sajeev

In this writeup I would like to share how I was able to buy any product off an E-commerce website for $10. This was possible because of vulnerable parameter which made IDOR possible.

The target domain was a start-up E-commerce website.

The Important Stuff

You may be wondering how did I figure out the PID of other products. I could just add Product B to the cart and get PID from there.

Also I found that the ‘share this product’ option leaks the PID. So I could just copy it from there and use it here.

3. Replace the PID of Product A with PID of Product B in the POST request.

(Do remember that the amount parameter is still $10)

4. Forward the request. Total price will be listed as $10.

5. Make the purchase for $10.

Voilà , Now we have technically bought a $400 product for $10.

I know the steps above might have been a bit confusing. I tried my best to explain it in the simplest way possible.

If you’ve still got any doubts, please do contact me on Twitter or LinkedIn .

Timeline

Submitted : 29–07–2022

Accepted : 06–08–2022

Resolved : 10–08–2022

I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.

LinkedIn : https://www.linkedin.com/in/sagar-sajeev-663491208/

Twitter : https://twitter.com/Sagar__Sajeev

Thanks for going through my writeup and I hope it was useful to you. I’ve made 8 other writeups on my Medium handle. Please do check those out as well.

Happy Hunting!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store