Simple Bugs — Buying Everything for Free!!!
This write-up exposes several easily exploitable vulnerabilities that can result in price tampering. However, it offers a fresh perspective on how these risks can be addressed
Hello Everyone I am Vishal Vishwakarma [@rootxvishal] I hope you enjoy it and learn something new from it.
Introduction
Online shopping has become a popular trend in recent years, and as a result, online retailers are always looking for ways to attract more customers. One way to do this is by offering discounts and coupon codes. However, these discounts and codes can sometimes be exploited by attackers, leading to financial loss for the retailer.
Recently, I have found a vulnerability in the coupon code functionality of a website. This vulnerability allowed me as the attacker to buy anything from the website for absolutely free.
The Vulnerability
The vulnerability exists due to the lack of rate limiting on the coupon code input field. This allowed me to perform brute force attack on the coupon codes and obtain active coupons.
I have found that for employees the website issued some coupons (1000+) which were able to reduce the price of $100 (8,184INR) to absolutely zero money.
When I tried to buy something from the website for the first time there was an option to apply coupons, I did some googling and found some used coupons and the syntax was “Coupon-Company-XXXXX”
So I quickly applied a random coupon and intercepted the request in Burpsuite, and to my surprise the request’s response was :
HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Connection: close
Access-Control-Allow-Origin: https://www.example.com
Vary: Origin
Access-Control-Allow-Credentials: true
X-Application-Context: APIGateway:prod-k8s:8080
CF-Cache-Status: DYNAMIC
Set-Cookie:
Server: cloudflare
CF-RAY:
Content-Length:
{"timestamp":16809496232323,"status":422,"error":"Unprocessable Entity","message":"Coupon is not published yet"}“XXXXX” In the coupon is nothing but just some random alphabets
So I invested some time thinking what to do next then I came up with an idea, I can just make 5 alphabet brute force dictionary by using crunch.
So I did all this and created a custom wordlist which has 400000+ combinations (words), then I forwarded the request to intruder and ran it with my custom wordlist, Yes We got it, It worked.
Impact of the Vulnerability
The impact of the vulnerability is significant as it can lead to financial loss for the website. Attackers can use this vulnerability to obtain free items, leading to a loss of revenue for the company. Additionally, it can damage the reputation of the company, as customers/employees may lose trust in the brand if they find out that coupon codes can be easily exploited.
Fixing the Vulnerability
To fix this vulnerability, The website needs to implement rate limiting mechanisms to prevent brute force attacks and make sure that the website does not leaks data from the backend which is not intended to be presented on the customer’s browser. Here are somethings that can help to mitigate this vulnerability :
Implement CAPTCHA or other similar mechanisms to prevent automated brute force attacks.
Implement rate limiting mechanisms to restrict the number of attempts that can be made for a coupon code within a certain time period.
Implement stronger coupon code generation algorithms to make it more difficult for attackers to guess valid coupon codes.
“Who has thought that an error message can lead to this?”
I would like to thank Saransh Saraf aka (MR23R0) for helping me to write this article : )
I hope you have enjoyed it and learned something new from it, if yes please hit the clap button and to discuss similar stuff connect with me:
