Open in app

Sign in

Write

Sign in

sudhanshu Kumar kashyap
4 min readSep 18, 2020

Exploiting The E-commerce Payment Business logic.

All About E-commerce Payment business Logics.

While i was surfing internet saw a t-shirt liked it , opened it and got redirected to a E-commerce website. added the t-shirt into the cart , added my address, But….before i could proceed to payment something came to mind and that was evil :) .

only a few days ago i was reading about high level business logic flaws where i got to read about simple flaws which can be used to exploit the add to cart and pyment mechanasim in E-commerce websites. so i thought why not to give a try.

Well started with the simple ones Where you add one item, for example you have added an Item of 2000 bucks. so the number of items in cart will be one now with total amount of 2000. now if you add one more item again and its price is 400 then the number of items in the cart is 2 now and total amount is 2400. what you can do now is intercept the request in burp and see if the price parameter is there (which is rare to find these days). if the price param is there you can try changing the price and then forward the request.

Here if we try changing the price param it works in the cart. (rarely in real life lol)

#The second logic flaw is in the Product quantity.

as we have added one item for 2000 and now when we again go to add the second item for 400 click on add to cart → Capture the request → now try messing with the quantity param as it is “1” now make it “-1” and forward the rquest refresh the cart page. as the total price of the orders is calculated mathematically using the formula Total price = (quantity of the item1)*(price of the item1) + (quantity of the item2)*(price of the item2). so according to this now the total amount will be =(1*2000) + (-1*400) which is = 1600. if we make the quantity of the second item as (“-4”) the total price of the orders will be 2000–1600=400. which means you will be paying 400 instead of 2000. Cool isn’t it. But sadly it doesnt work so easily on every websites so dont try this.

Now come the main logic flaw which still migh be present on many websites.

#Messing with Quantity numbers and Price .

back to my own story after trying these two simple flaws i couldnt exploit so moved to the net level.

We are given a option there to add as much quantity we want , as you can add 5 or maybe 10 same item into the cart. but did you ever wonder what is the max number i can add into the cart?? No?? . well lets explore then. some websites do restrict and validate the maximum number of same items you can add to your cart but a lot of websites doesn’t. if you try adding like 100 items the total amount will be calculated simply by multiplying (no of items*price).

But here is the intresting thing maybe you can add 1000 items or maybe 100000 items but there has to be alimit right? well there is a limit and it lies not in the website but in the very basic of our programming language. as it says that the data type integer has a range, the max limit i.e -2,147,483,648 to 2,147,483,647 so anything that goes beyond 2,147,483,647 will voilate this rule. so what we can do is capture the add to cart request then go to intruder in the quantity param give a random number depending upon how many didgits it accepts if two then give 99 if three then 999 or so on. in intuder under payload option add null payload and select continue infinitely and sart the attack.

#The Result

well while we run a infiite attack the no of items is increasing so is the price so after a time the value crosses 2,147,483,647 and it has exceeded the maximum value permitted for integer and voilates the basic rule of programming in back end. and thats why the value will start looping back to negtive numbers and then becomes 0(zero). so suppose you want the price to settle between 0 to 100 so you can give the quantity according to that and for this you will have to add another items and calculate the quantity needed.

So Using this logic finally i exploited the payment mechanism As the cart was not validating or using any type of restriction on number of maximum items that can be added to cart so i gave a very large payload and then the intruder attack did the job and i was able to add a large negative quantity (-922)in the cart hurray….

This was totally done ethically i reported the website without hoping for any bounty and did what a Hacker should do. Remain ethical and keep Hunting.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

sudhanshu Kumar kashyap
sudhanshu Kumar kashyap

Written by sudhanshu Kumar kashyap

110 Followers
8 Following

A Hacker For Fun

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams