Business Logic Vulnerability via IDOR
How’s it going everyone. I’m Sagar Sajeev
In this writeup I would like to share how I was able to buy any product off an E-commerce website for $10. This was possible because of vulnerable parameter which made IDOR possible.
The target domain was a start-up E-commerce website.
- I did report a Stored XSS, but they said they had already identified it in their recent pentest and is already in line for a fix.
- So I started testing the cart checkout option, hoping for some Parameter tampering bugs. But couldn’t find any.
- It was then I noticed the <PID> parameter, which is the Product ID in the request body.
- I tried to various ways to manipulate the amount parameter. But the server side validation made it impossible to bypass.
- The amount parameter was not vulnerable, but what about the PID?
The Important Stuff
- Add a low priced Product A to the cart. (In the actual PoC, I added a product which was around $10)
- Get the PID of any other Product B. (I chose a product which costs $400)
You may be wondering how did I figure out the PID of other products. I could just add Product B to the cart and get PID from there.
Also I found that the ‘share this product’ option leaks the PID. So I could just copy it from there and use it here.
3. Replace the PID of Product A with PID of Product B in the POST request.
(Do remember that the amount parameter is still $10)
4. Forward the request. Total price will be listed as $10.
5. Make the purchase for $10.
Voilà , Now we have technically bought a $400 product for $10.
I know the steps above might have been a bit confusing. I tried my best to explain it in the simplest way possible.
- They offered me a $2000 coupon as bounty which can be redeemed only for purchases made within that website.
- And it’s US shipment only. No International Shipments :-/
Submitted : 29–07–2022
Accepted : 06–08–2022
Resolved : 10–08–2022
I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.
Twitter : https://twitter.com/Sagar__Sajeev
Thanks for going through my writeup and I hope it was useful to you. I’ve made 8 other writeups on my Medium handle. Please do check those out as well.