Price Manipulation in Payment Gateway / Shopping Cart

My name is Sebastian Vargas Paez, an independent Colombian cybersecurity researcher who usually participates in VDP and Bug Bounty programs on platforms such as HackerOne and YesWeHack.

Today I want to share a critical vulnerability that I find in a production environment from a Colombian education company that let me buy products (courses) with high costs for less than 1 dollar, I won't disclousure data information about the company but I will follow you step by step how I found this critical vulnerability

I was lookinf for independant VDP programs with some Google Dorks and I find a Colombian education company who calls my attention because I'm Colombian ​😏 and is not common finding colombian companies in VDP or BBP

I decide to try in this company and try different approach ways, I try finding subdomains but the infrastructure wasnt to complex so I just find a admin panel where I tried some basic enumeration of emails but wasn't leaking any information

After that I decide to focus on the Shopping cart, I start to evaluate how the backend was handling the information before sending to the payment gateway, so at that moment I realize the data was being sending as a JSON to the backend and the backend never check the information, just accept whatever data sended from the FrontEnd

A malicious attacker could intercept and modify the HTTP request at the moment it is sent to the payment gateway, changing the price to any desired amount, as long as it exceeds the minimum amount accepted by the payment gateway (1,500 COP), less than 1 dollar.

This could allow the attacker to successfully complete the transaction and obtain, in this case, a product valued at 600,000 COP (170 USD) for only 1,500 COP (0.40 USD). In this way, the attacker could sell accounts with full access to this and subsequent courses, or steal the course information (product) and resell it.

The backend trusts the data provided by the frontend to process the total order cost instead of validating and verifying prices directly on the backend. Using tools such as Burp Suite, it is possible to modify these values stored in JSON format before the product price is sent to the payment gateway.

POC

1. Log in to the platform, go to the product catalog, and select the available product: https://redacted.com/catalogo/

2. Go to the shopping cart to proceed to checkout.

3. Intercepte la request HTTP en BurpSuite

4. Modify the amount and sellingPrice parameters to 1,500 COP or another higher value.

5. Forward the HTTP request and return to the browser.

6. Complete the payment using an authorized card or payment method.

7. Once the payment is successful, a confirmation email will be received.

8. Return to the application, and access to the purchased product (course) will already be granted for 1,500 COP, less than 1 dollar.

Impact

As demonstrated, a malicious user could acquire access to this product (course) basically for free, which represents a critical risk of financial loss and electronic fraud within the application.