Hi friends,
It’s me Krishnadev P Melevila, After my first account takeover blog, I am back with a new Response manipulation bug.
For those who don’t know me, Please search google “Krishnadev P Melevila” Or “Founder of Nodeista Infotech”
So let’s start,
As per the program policy, I am not able to reveal the site identity. so I am mentioning the site name as example.com
This bug allows an attacker to manipulate response before being sent to the payment gateway and bypassing the overall payment system.
This is mainly caused by the improper configuration of the payment system.
This bug causes severe damage to the economy of the company. So they considered it as a P2 bug.
Steps to reproduce in attackers point of view:
So in this way, we can buy all the things for free by exploiting this bug.
Summary and Timeline
Reported On: 23–07–2021T02:02PM IST
First response: 23–07–2021T04:05PM IST
Triaged On: 24–07–2021T10:00AM IST
Bounty Awarded On: 26–07–2021T04:50PM IST
My Instagram Handle: @krishnadev_p_melevila