Hacking an e-commerce site and performing a heist is kind of everyone's dream. It feels like a sneaky goblin who hacked a bunch of GPU or Nike shoes without leaving a single footprint. 

This blog won't delve into the basics of e-commerce. Instead, it’ll share a practical example of how we exploited a specific e-commerce platform using Burp Suite.

What is Burp Suite?

Burp Suite is a software security application used for penetration testing of web applications. Both a free and a paid version of the software are available. The software is developed by the company PortSwigger. 

For those new to Burp Suite, we recommend going here to get started with it.

How We Hacked E-Commerce

In this article, we will examine how a simple Business Logic Vulnerability that could be abused to order product with full payment without paying a penny. 

What is Business Logic Vulnerability

Business Logic Vulnerabilities are weaknesses in the design and implementation of an application's business logic that attackers can exploit to perform unintended actions. These vulnerabilities arise not from technical flaws like coding errors but from the way the application handles and processes business rules and workflows.

Examples of Business Logic Vulnerabilities:

1. Authorization flow
2. Race condition
3. Inventory manipulation
4. Price Manipulation

Business Impact of Price Manipulation in E-commerce

Price manipulation in E-commerce can have significant business impacts, affecting revenue, customer trust, legal standing, and overall business operations.

Attack approach & exploitation

While testing the web app, there is a regular workflow and nothing fancy. Just add the product to the cart, go to checkout, complete the order, and you're redirected to the thank you page with an order tracking ID.

After obtaining our order ID, we attempted to exploit an Insecure Direct Object Reference (IDOR) vulnerability. However, we were unable to do so because the system employed a pattern to prevent IDOR in the order tracking. So we quickly moved on to other potential vulnerabilities.

After obtaining the order ID, we attempted to retrieve information by searching for it in the front end. However, the data returned was minimal or insufficient for our purposes.

However, we didn't stop there. Our curiosity drove us to dig deeper because we suspected that more information was being returned when we tried to track our order. We launched Burp Suite, intercepted the request, and discovered that the system was making an API GET request using our provided order ID, returning detailed order information, approval times, and other statuses.

 But one Json key caught our sight. That is ```totalPayTk``` & ```remainingTkPay```

We analyzed the purpose of these keys by examining the POST requests through Burp Suite > HTTP History.

From our analysis, we observed the following:

When placing an order with the "Cash On Delivery" payment method:

• The totalPayTk value is set to “0”.
• The remainingTkPay value is set to the totalBill amount.

When placing an order with the "Advance Payment" method:

• The totalPayTk value is set to the bill amount.
• The remainingTkPay value is automatically set to 0.

We decided to test the "Cash On Delivery" payment method by intercepting the request and setting the totalPayTk value to the total bill amount.

To our surprise, the order was successfully created with { “remainingTkPay”: 0, … } without requiring any payment!

Remediation

To remediate the price manipulation vulnerability, It’s important to implement server-side validation for all pricing-related calculations and enforce strict business rules to ensure that price adjustments and payment processing cannot be tampered with.

Conclusion

Business Logic Vulnerability is one of the most common issues found in web applications, particularly in e-commerce platforms. If exploited by malicious actors, such vulnerabilities could have serious repercussions for customers and the business. Fortunately, in this case, we identified the issue through ethical testing and promptly reported it to the company’s security team. They took immediate action to address and resolve the problem.

References

1. https://en.wikipedia.org/wiki/Burp_Suite
2. https://portswigger.net/burp
3. https://www.imperva.com/learn/application-security/business-logic/
4. https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability

‍