Bypassing paid functionality

INDEX

· Introduction about functionality

· Bypassing paid functionality

· Vulnerability

· How to fix

· Recommendation

· Introduction about functionality: I am working on website, let’s call it “www.somesite.com”. The website provides e-mail template’s. The website has two plans free and Business. The free plan has limited functionality but in business plan you can add other members of your organization to use “somesite.com”

Image for post
Image for post

By using business plan, you can add as many users as you want, but each user costs $7.So let suppose you want to add two user, it will cost $14. After choosing the business plan I choose to add 5 more users and it costs me $35.

Image for post
Image for post

· Bypassing paid functionality:

1. Configure your Burp Suite to listen all the requests coming from your browser.

2. After completing the service configuration shown in the screenshot above choose to pay via Card.

3. Enter any valid credit card and Proceed.

4. Intercept the request in Burp and look for the request going to the payment gateway.

5. Modify the value of amount and change it to $0.

6. Transaction Success and users has been added without paying anything.

Image for post
Image for post

· Vulnerability: The application is not verifying the amount on the server side and letting the value of amount travel in plain text in the request. Since there was not server side validation the transaction is getting successful without any payment.

· How to Fix:

1. Use encrypted amount values.

2. Instead of sending the amount on request, assign the unique IDs to the plans and retrieve the amount of the plan via the unique ID and too on server side.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store