During a penetration testing engagement at CyberAR, I discovered a critical vulnerability that allows attackers to purchase products at significantly reduced prices through quantity manipulation.
While exploring the website, I identified it as an online store selling various products. After completing some initial test cases, I navigated to the product section to conduct further testing. I selected a product and intercepted the request when I clicked “Add to Cart” to examine the associated request
I noticed a parameter labeled “quantity” which determines the number of items to purchase. I attempted to manipulate this parameter by changing its value from 1 to 0.5 Although the response didn’t indicate any changes, I added the product to my cart and then opened my cart to proceed. I decided to test the item update function.
Next, I intercepted the request and increased the quantity to 2. Upon reviewing the request, I noticed the quantity parameter along with some different parameters compared to the previous request. I then changed the quantity from 2 to 0.5 and observed a price reduction from $3000 to $1500.
To realize a greater effect of this vulnerability, I repeated the process, adjusting the quantity to an even smaller value of 0.01
When I clicked on checkout, I noticed the price changed to $30, with an additional $80 for shipping, bringing the total to $110 instead of the original $3080.
To clarify further, the product price is $3000. When I increase the quantity, the price adjusts accordingly:
However, I needed to confirm whether this was just a user interface (UI) issue, so I continued with the purchasing process. I entered payment information that did not contain sufficient funds to cover the full amount. Upon clicking “Place Order,” I received a notification indicating that the transaction was successful at $110, rather than the expected $3080. The order was ultimately declined due to insufficient funds on the card.
Objective: To determine the financial loss incurred by the company due to the exploitation of the vulnerability.
2. Calculate the total price for 100 users after using the vulnerability:
3. Calculate the total financial loss:
The total financial loss incurred by the company is $7,397,082
This discovery highlights a significant security vulnerability related to quantity manipulation in the purchasing process. Attackers could exploit this flaw to acquire products at greatly reduced prices, which poses a serious risk to the integrity of the online store and its revenue. Immediate action is necessary to address and remediate this vulnerability.