Description
During a penetration testing engagement at CyberAR, I discovered a critical vulnerability that allows attackers to purchase products at significantly reduced prices through quantity manipulation.
Exploit Begins
While exploring the website, I identified it as an online store selling various products. After completing some initial test cases, I navigated to the product section to conduct further testing. I selected a product and intercepted the request when I clicked “Add to Cart” to examine the associated request
I noticed a parameter labeled “quantity” which determines the number of items to purchase. I attempted to manipulate this parameter by changing its value from 1 to 0.5 Although the response didn’t indicate any changes, I added the product to my cart and then opened my cart to proceed. I decided to test the item update function.
Next, I intercepted the request and increased the quantity to 2. Upon reviewing the request, I noticed the quantity parameter along with some different parameters compared to the previous request. I then changed the quantity from 2 to 0.5 and observed a price reduction from $3000 to $1500.
To realize a greater effect of this vulnerability, I repeated the process, adjusting the quantity to an even smaller value of 0.01
When I clicked on checkout, I noticed the price changed to $30, with an additional $80 for shipping, bringing the total to $110 instead of the original $3080.
To clarify further, the product price is $3000. When I increase the quantity, the price adjusts accordingly:
- For a quantity of 2: $3000 * 2 = $6000
- For a quantity of 0.5: $3000 * 0.5 = $1500
- For a quantity of 0.01: $3000 * 0.01 = $30
However, I needed to confirm whether this was just a user interface (UI) issue, so I continued with the purchasing process. I entered payment information that did not contain sufficient funds to cover the full amount. Upon clicking “Place Order,” I received a notification indicating that the transaction was successful at $110, rather than the expected $3080. The order was ultimately declined due to insufficient funds on the card.
Test Case for Financial Loss Calculation
Objective: To determine the financial loss incurred by the company due to the exploitation of the vulnerability.
Assumption:
- Number of users: 100
Details:
- Total original price of products: $74,718
- Price after exploiting the vulnerability: $747.18
Calculations:
- Calculate the total original price for 100 users:
- 74,718 × 100 = $7,471,800
2. Calculate the total price for 100 users after using the vulnerability:
- 747.18 × 100 = $74,718
3. Calculate the total financial loss:
- 7,471,800 − 74,718 = $7,397,082
Total Financial Loss:
The total financial loss incurred by the company is $7,397,082
Summary
This discovery highlights a significant security vulnerability related to quantity manipulation in the purchasing process. Attackers could exploit this flaw to acquire products at greatly reduced prices, which poses a serious risk to the integrity of the online store and its revenue. Immediate action is necessary to address and remediate this vulnerability.