How i was to able to change watch price using parameter tampering
First now let's talk about what is parameter tampering
Parameter Tampering
In essence, parameter tampering is a web-based assault using business logic. It entails the modification of application data, including user credentials, permissions, pricing, the quantity of goods, etc., by manipulating the parameters that are sent back and forth between the client and server. It is meant to be a danger to company security if an unauthorized person tampers and manipulates the website's URL, web page form, or other factors.
Let's now examine the three possibilities: turning a costly item into a cheap one, allowing limitless cards, and adjusting the price.
POC:-
As, this is a private website I cannot disclose it's detail
Now, as you can see the watch's price is ₹12k
Now fill up the details to buy the watch (like name, address, etc...) and submit
Now you will see the final payment gateway, when you press the final pay button it will redirect you to ccavenue's payment gateway and now capture this request in burp
you'll be able to see the official price of the watch, let's try to change the price
Friend's look the price is successfully changed💥
0 Comments