“If you can’t bake a cake then hack the entire cake shop” — Vivek Coelho

It was a Saturday and as usual, we were planning to stop eating junk food tomorrow. So, we decided to have some desserts after the heavy lunch and then stop eating sugary items. “I can bake a cake”- said, my wife. I said “no dear!! you are already tired of watching the episodes of ‘Naagin’(Indian television series) and why don’t you take some rest?”. I also requested her to prepare for some competitive exams only if she gets time after watching the series. She agreed ❤. Happy wife and happy me.

So we can order a cake online. Let’s order from this shop’s website. I see this shop every day on the way to my office. It was a famous one in the locality. The minute I accessed the website, I had an intuition that this site has a lot of vulnerabilities. If you are used to security testing, you will have this sixth sense by seeing the website's design and all. The first thing I noticed was the OTP feature for login. Maybe I can brute-force it and log in to other accounts. But why should I do that? I’m here to order the cake and not to see what all the fancy cakes others are buying. I signed into my own account and decided to stick with the plan of buying the cake not doing some magic hacks. But you know it is not easy to break the habits. And I started inspecting the network traffic. As expected, the website did not have CSRF protection. OK, good, but I didn’t have any intention of reporting the vulnerabilities to the site owners or exploiting the bug. I was just curious, that’s all. So didn’t take it seriously.

I selected a chocolate cake, and the cost was 800 Rs. And on the payment page, I saw an option to enter the discount coupon. I tried entering random values, tried SQL injection, XSS, and a lot of things. Nothing worked. And as I said, I was not that interested in finding something as I knew I would not be getting any reward or appreciation even if I reported the issue. Moreover, the lunch was so heavy that my body was using the entire energy just to digest it. “Sleep, Sleep”- That was all my brain wanted.

So, I clicked on the checkout button, entered the delivery address and an embedded payment popup was shown. The popup contains the total amount and the method of payment to choose from like UPI, Net banking, etc. The gateway was ‘RazorPay’. But I still had the network traffic analyzer tab open and I found something more delicious than the cake I selected. The request they sent to the payment gateway contains a lot of information and it was also having five or more fields having values like ‘800.00’,’800000' etc. The total cost was 800Rs and anything similar to that number should be related to the total price right? I closed the payment popup, redirected my traffic through the burp suite, and captured the requests after clicking the checkout button again. I intercepted the web request and changed all the parameters that contains ‘800’ to ‘1’ and the request was sent. I was surprised to see that the RazorPay popup was now showing the total amount as 1 instead of 800. I choose the UPI option and entered my UPI id. The amount in google pay was 1and it is working. Next, I wanted to know if it is actually working. I can complete my order for 1 Rs. My intention was not to harm, but the superior feeling of doing something that normal people can’t do is something great. So I just changed the amount to 750 Rs. I knew if this doesn’t work I will lose my 750Rs and I will not receive the cake either. I opted for UPI and paid using Google Pay. The payment was successful and the message was shown on the website saying I will receive the cake on time.

Then started the real trouble. As usual, I started imagining the consequences of doing something illegal. I thought of calling the shop and telling them “I ordered the cake and there was some network error and not sure I paid the correct amount and all”. No, It will be suicidal. So I decided to let it go. The next day when I heard the calling bell of my apartment I was sure that it was either the cake delivery boy or the police. So I requested my to wife open the front door hiding inside the blanket.

Fortunately, It was the cake delivery boy and he handed over the cake. Everything was fine. But 2 hours later I heard my phone ringing. The truecaller was showing the name of the cake shop from where I ordered the cake. S**t, They might have checked the accounts and might have found some issues in the money received. What should I tell them or should I not attend the call or should I tell them that there was a network error when I ordered the cake? I attended the call and the conversation was like this.

He: Hello, is it Vivek who ordered the cake earlier?

Me: Yes sir :|

He: Okay. So Vivek how was the cake?

Me: Very good sir. It was very tasty and the price was very reasonable.

He: Thank you Vivek. Please don’t forget to rate us on the google review

Me: Sure.

Happy Ending ******

Note: I could have reported them about the issue but I didn’t because I thought if ever lost my job, I can live by eating the cake. But when checked that recently I could see the site was reconstructed and the issue is fixed :(