Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,478
- Points
- 113
Hello everyone.
Three things for the price of one, 99% off free soccer or burger tickets. Sometimes this is possible.
Try to manage quantity
For example, you have selected 1 product, change it to 3 to get two items for free:
You can see real examples of such a vulnerability here (https://hackerone.com/reports/364843), here (https://hackerone.com/reports/403783) and here (https://hackerone.com/reports/771694) ...
Try to manipulate the price
For example the original price is 10, change it to -10 or to a decimal value such as 0.10 to get a cheaper item. You can also use zero, NaN, or null to cause logical problems:
Examples of such reports can be found here (https://hackerone.com/reports/927661) and here (https://hackerone.com/reports/422331).
Try using parameter pollution
For example:
Try to manipulate currency
For example, the initial currency is USD, try changing it to INR to get a cheaper item:
Follow the execution logic and parameters
Select PayPal or CoinPayments as your payment method. By intercepting all requests, you can find a parameter called "Success", "Referer" or "Callback". If the value inside the parameter has a url like:
Copy it and open it in a new window. You may find that your payment was successful.
Skip some steps
If you place your first order and go through all the steps, for example:
Try to make a second order and skip the payment step, replacing the ID at the confirmation step:
then go to Burp Repeater and change
All information is provided for informational purposes only. We are not responsible for your actions.
Three things for the price of one, 99% off free soccer or burger tickets. Sometimes this is possible.
Try to manage quantityFor example, you have selected 1 product, change it to 3 to get two items for free:
Code:
POST / buying-something HTTP / 1.1
Host: www.company.com
Quantity = 1 & price = 10 & currency = INR & token = ************ & add = egyYou can see real examples of such a vulnerability here (https://hackerone.com/reports/364843), here (https://hackerone.com/reports/403783) and here (https://hackerone.com/reports/771694) ...
Try to manipulate the priceFor example the original price is 10, change it to -10 or to a decimal value such as 0.10 to get a cheaper item. You can also use zero, NaN, or null to cause logical problems:
Code:
POST / buying-something HTTP / 1.1
Host: www.company.com
Quantity = 1 & price = -10 & currency = dollar & token = ************ & add = egyExamples of such reports can be found here (https://hackerone.com/reports/927661) and here (https://hackerone.com/reports/422331).
Try using parameter pollutionFor example:
Code:
POST / buying-something HTTP / 1.1
Host: www.company.com
Quantity = 1 & Quantity = 2 & price = 10 & currency = dollar & token = ************ & add = egyFor example, the initial currency is USD, try changing it to INR to get a cheaper item:
Code:
POST / buying-something HTTP / 1.1
Host: www.company.com
Quantity = 1 & price = 10 & currency = INR & token = ************ & add = egySelect PayPal or CoinPayments as your payment method. By intercepting all requests, you can find a parameter called "Success", "Referer" or "Callback". If the value inside the parameter has a url like:
Code:
example.com/payment/MD5HASHCopy it and open it in a new window. You may find that your payment was successful.
Skip some stepsIf you place your first order and go through all the steps, for example:
Code:
/ order / 1 / shipping ->
/ order / 1 / payment ->
/ order / 1 / confirmationTry to make a second order and skip the payment step, replacing the ID at the confirmation step:
Code:
order / 2 / shipping ->
Code:
/ order / 1 / confirmation to / order / 2 / confirmation and execute the request.All information is provided for informational purposes only. We are not responsible for your actions.
Last edited by a moderator:
