Introduction

Hey folks, if you’ve been in the web security world for any length of time, you know that payment systems are like a giant, juicy target for attackers. Any little wiggle room in the logic and those crafty hackers will find a way to pay a lot less… or maybe even nothing at all. That’s where companies like WeSecureApp shine, and I’m here to tell you why.

Before we get into the nitty-gritty, let’s just establish the obvious: Payment tampering is bad news. It’s bad for the business (because, of revenue) and bad for customers (trust is paramount). So, finding and fixing these issues is critical.

Our CTO (Akhil Reni) has always been the best at it and made sure everyone is equipped with the techniques. In fact, one of our first customers received a total of 43 payment tampering vulnerabilities on their product.

Here is an old public report from our CTO, wherein he reported a Payment flaw to Zomato:

https://hackerone.com/reports/403783

The Usual Suspects

Let’s start by outlining some of the most common techniques attackers use to tamper with payments. We’ll focus on a few classics, and then later on, get a bit more creative with it:

• Messing with the Price: This is the most straightforward way to manipulate a transaction – simply change the price of an item in the request to the payment gateway. Poorly coded websites might not check this on the backend and voila! You just got yourself a sweet discount.
• Quantity Shenanigans: Sometimes, quantity fields aren’t properly validated. Ever been tempted to try ordering 0.5 of something to see what happens? Turns out, some systems might round down, or even better, misinterpret the quantity and give you the item for free!

Real-World Tampering Tales (with POCs)

Case Study 1: The Case of the Discount-Loving Hacker

Let’s say you’re browsing an online store called SuperMart. You add a fancy new laptop to your cart, priced at a cool $1000. Now, being a savvy security researcher, you open up your trustydeveloper tools and take a quick peek at the network requests when you hit checkout.

• The Vulnerability: You notice the price is passed to the backend as a plain-text parameter in the payment request – something like price=1000.
• The Exploit: A mischievous grin spreads across your face. You slyly change the price parameter to 500, or heck, why not 50 and hit submit. If SuperMart isn’t validating this price server-side, your order might just go through at that ridiculously low price!

Case Study 2: When Coupon Codes Go Rogue

Imagine SuperMart, trying to be all generous, is running a sweet promotion. One of those classic “20OFF” coupon codes. Now, let’s think like an attacker:

• The Vulnerability: The website might apply the discount and then send the final calculated price to the payment gateway. Poorly designed systems might also be vulnerable to multiple coupons being stacked!
• The Exploit: Before hitting the final payment button, you start piling on the codes. 20OFF is good, but what if you try 20OFF again, and another one for good measure? Suddenly, exploiting a poorly handled discount system could make your purchase suspiciously cheap (or even free – if it goes negative!).

Important Note: Don’t actually do any of this on a live site folks! We’re ethical researchers, remember?

Okay, let’s dive into the deeper end of the payment tampering pool. Things are about to get more interesting!

Advanced Tampering Tactics

Race Conditions: When Timing Is Everything

Coupon codes can be even more dangerous when mixed with a dash of race conditions. Let’s paint a scenario:

1. The Vulnerability: Let’s say SuperMart limits a coupon to the first 100 customers. They also don’t properly lock down inventory, meaning multiple people could potentially end up buying the last item simultaneously.
2. The Exploit: You find a super-desirable item about to go out of stock. You fire up multiple browser tabs or, if you’re feeling fancy, a script. Now, in each tab, you apply the coveted discount code and get ready to hit ‘buy’ …all at the same time. Even if just one request sneaks through after the limit, you’ve successfully exploited the race condition and snagged the deal!

Rounding Errors: Tiny Numbers, Big Impact

Computers aren’t always great at precision, especially when dealing with calculations at scale.

• The Vulnerability: Some systems might store prices using weird internal formats, allowing room for rounding errors.
• The Exploit: You meticulously tinker with an item’s price in the backend of your request, making it result in a fraction of a cent. When the system rounds this (sometimes even down to zero), your cart balance could look very, very appealing.

Why WeSecureApp Excels

You can throw automated tools at a payment system all day long, but the truly dangerous vulnerabilities often require a human brain – one well-versed in the art of security research. That’s the advantage we bring to the table.  WeSecureApp isn’t just about tooling; it’s about the people behind it.

Our team has a deep arsenal of offensive security techniques, honed over years of experience in breaking and fixing systems. We understand the sneaky ways attackers think, and we mimic those strategies to proactively find risks.

Here’s a glimpse of our approach:

• Beyond Basic Scans: Our payment tampering checks don’t just stop at the obvious price and quantity tricks. We dig deep into price calculation logic, coupon handling, and inventory synchronization – the areas where subtle bugs often lead to big exploits.
• Race Condition Hunting: We meticulously craft attack scenarios to expose timing-related vulnerabilities, especially around limited promotions or exclusive items.
• Thinking Like the Bad Guys: We’re always researching the latest attack patterns. Payment tampering is constantly evolving. We update our methodologies so we’re ready to uncover even the most novel exploits.

This deep-dive approach is critical for industries like banking and finance, where the stakes are incredibly high. Our pentesters, with their specialized skills, give clients peace of mind knowing their payment systems aren’t just a gamble.

The post Why WeSecureApp Rocks at Busting Payment Tampering Vulnerabilities appeared first on WeSecureApp :: Simplifying Enterprise Security.

*** This is a Security Bloggers Network syndicated blog from WeSecureApp :: Simplifying Enterprise Security authored by Akhil Reni. Read the original post at: https://wesecureapp.com/blog/why-wesecureapp-rocks-at-busting-payment-tampering-vulnerabilities/