Blogs/

Hacking E-Commerce Using Burp Suite

Hacking E-Commerce Using Burp Suite

Oct 27, 2025

Aoxsin

Cybersecurity Researcher

Join Our Discord Community

Hacking an e-commerce site and performing a heist is kind of everyone's dream. It feels like a sneaky goblin who hacked a bunch of GPU or Nike shoes without leaving a single footprint. 

This blog won't delve into the basics of e-commerce. Instead, it’ll share a practical example of how we exploited a specific e-commerce platform using Burp Suite.

What is Burp Suite?

Burp Suite is a software security application used for penetration testing of web applications. Both a free and a paid version of the software are available. The software is developed by the company PortSwigger. 


Fig: Burp Suite (Community Edition)

For those new to Burp Suite, we recommend going here to get started with it.

How We Hacked E-Commerce

In this article, we will examine how a simple Business Logic Vulnerability that could be abused to order product with full payment without paying a penny. 

What is Business Logic Vulnerability

Business Logic Vulnerabilities are weaknesses in the design and implementation of an application's business logic that attackers can exploit to perform unintended actions. These vulnerabilities arise not from technical flaws like coding errors but from the way the application handles and processes business rules and workflows.

Examples of Business Logic Vulnerabilities:

  1. Authorization flow

  2. Race condition

  3. Inventory manipulation

  4. Price Manipulation

Business Impact of Price Manipulation in E-commerce

Price manipulation in E-commerce can have significant business impacts, affecting revenue, customer trust, legal standing, and overall business operations.

Attack Approach & Exploitation

While testing the web app, there is a regular workflow and nothing fancy. Just add the product to the cart, go to checkout, complete the order, and you're redirected to the thank you page with an order tracking ID.


Fig: Order Thank you Page

After obtaining our order ID, we attempted to exploit an Insecure Direct Object Reference (IDOR) vulnerability. However, we were unable to do so because the system employed a pattern to prevent IDOR in the order tracking. So we quickly moved on to other potential vulnerabilities.


Fig: Order Tracking Pattern

After obtaining the order ID, we attempted to retrieve information by searching for it in the front end. However, the data returned was minimal or insufficient for our purposes.


Fig: Tracking data in front end

However, we didn't stop there. Our curiosity drove us to dig deeper because we suspected that more information was being returned when we tried to track our order. We launched Burp Suite, intercepted the request, and discovered that the system was making an API GET request using our provided order ID, returning detailed order information, approval times, and other statuses.


Fig: Tracking data through an API endpoint

 But one Json key caught our sight. That is ```totalPayTk``` & ```remainingTkPay```


Fig: Vulnerable JSON key

We analyzed the purpose of these keys by examining the POST requests through Burp Suite > HTTP History.

From our analysis, we observed the following:

When placing an order with the "Cash On Delivery" payment method:

  • The totalPayTk value is set to “0”.

  • The remainingTkPay value is set to the totalBill amount.


Fig: Order data after COD method

When placing an order with the "Advance Payment" method:

  • The totalPayTk value is set to the bill amount.

  • The remainingTkPay value is automatically set to 0.


Fig: Order Data Advance Payment Method

We decided to test the "Cash On Delivery" payment method by intercepting the request and setting the totalPayTk value to the total bill amount.

To our surprise, the order was successfully created with { “remainingTkPay”: 0, … } without requiring any payment!


Fig: Order data after Price manipulation

Remediation

To remediate the price manipulation vulnerability, It’s important to implement server-side validation for all pricing-related calculations and enforce strict business rules to ensure that price adjustments and payment processing cannot be tampered with.

Conclusion

Business Logic Vulnerability is one of the most common issues found in web applications, particularly in e-commerce platforms. If exploited by malicious actors, such vulnerabilities could have serious repercussions for customers and the business. Fortunately, in this case, we identified the issue through ethical testing and promptly reported it to the company’s security team. They took immediate action to address and resolve the problem.

References

  1. https://en.wikipedia.org/wiki/Burp_Suite

  2. https://portswigger.net/burp

  3. https://www.imperva.com/learn/application-security/business-logic/

  4. https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability

‹ Redis Server Vulnerabilities Exploited with Ransomware and Crypto Miners

Uncovering Bugs with Public archives for Fun & Profit ›

Protect your organization with Red Sentry's expert penetration testing.

(888) 337-0467

hello@redsentry.com

SERVICES

INDUSTRIES

RESOURCES

© Copyright 2025, Red Sentry