Bounty $1000 — Critical Business Logic Flaw leads to Account Takeover & Product Order Amount Manipulation


This is Muhammad Asim Shahzad a.k.a “protector47”

Today I will discuss some interesting Business logic flaws through which I was able to get full access to any user’s account without the user’s interaction and manipulation of order amount of an eCommerce store.

In this write-up, I’ll discuss two different Business Logic Vulnerabilities:

  1. Critical Business Logic Flaw leads to Account Takeover
  2. Business Logic Flaw leads to order price manipulation.

Let the story begins…

What are business logic vulnerabilities?

Business logic vulnerabilities are flaws in the design and implementation of an application that allows an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.

Flaw # 1: Critical Business Logic Flaw leads to Account Takeover

I was testing a program of HackerOne. As usual, I’m bound to disclose the program name because it was a private program.

There was functionality to create your public profile and a feature to view your profile as other users.

I just created my profile and click on the profile preview button and intercept the request and the response as well. I noticed that the server sends the authorization token in the response to the profile preview request and luckily there was my user_id as well in the request.

I hope smart boys & girls have got the vulnerability…. ;)


Okay, Continue reading the article…

I just change the “user_id” from my ID to victim’s ID and what????

After replacing the user_id, I receive the victim’s authorization token in the response to the request. SHIT !!!!!

I just replace the authorization token by using the cookie injector and get into the victim’s account. One more flaw I reported to them that the authorization token was not bind with the Session ID.

There was a limitation, the victim should be logged in when you are trying to steal his authorization token by sending the profile preview request that’s why the bounty is only $1,000 :(

Image for post
Image for post

Flaw # 2: Business Logic Flaw leads to order price manipulation.

It was an eCommerce store where you can purchase products online. Due to a lack of input validation I was able to manipulate the order price.

I manipulate the JSON object with a negative product quantity value for example “quantity=-2”

How I manipulate the total price of the order?

  1. Let’s assume Product X and Product Y
  2. Product X price is $20 and Product Y price is $10
  3. I added Two Product X and Two Product Y into the cart
  4. Total order amount becomes ($20*2) + ($10*2) = $60
  5. While checkout, i change the quantity value of the Product Y from “2” to “-2”
  6. Application deducts the Product Y amount from the total amount and places the order…
  7. Application is done something like this: $60 — $20 =$40 and order the products of price $60 :)

I order 4 products of price $60 in $40 and got the order confirmation email as well.

Price Manipulated !!!!

Image for post
Image for post

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

SRT Member | Bug Bounty Hunter at HackerOne | Cyber Security Trainer | Application Security Lead at Financial Sector in Pakistan

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store