Member-only story
How I Found a Payment Tampering Bug and Almost Paid Zero Dollars!
Free Link🎈
Hey there!😇
Hey there! Life is full of surprises. Like that one time I added a whole cart of goodies online, only to see a giant bill staring back at me. But instead of crying over my empty wallet, I thought, why not flip the script? And that’s how I stumbled upon a juicy payment tampering bug.
The Boring Beginning
It all started on a lazy weekend. No exciting plans, no thrilling movies, just me, my laptop, and the ever-tempting world of bug bounty. After a bit of recon, I landed on an e-commerce site. Nothing out of the ordinary — flashy banners, fake discounts, and my favorite, the never-ending countdown timer.
Let’s Get Clicking
I added a few items to my cart, mostly for the sake of science (and maybe a bit of window shopping). After proceeding to checkout, I opened up Burp Suite to monitor the requests. That’s when I noticed something interesting — a sneaky little parameter named amount.
The Suspicious Parameter
POST /checkout
Host: example.comitem_id=1234&quantity=1&amount=499.99It was like a lightbulb moment. I thought, “What if I… changed it?”
Idea: Let’s see what happens if I reduce the amount value.
item_id=1234&quantity=1&amount=4.99Click, Boom, Success!
To my amazement, the payment went through. The system didn’t bother validating the amount from the server side. My account was charged only $4.99 for something worth $499.99. Jackpot? Not quite.
