How I was able to buy a product for free

How I was able to buy a product for free

source cover : wallarm.com

Hi everyone, I hope you are good. So in this article I will share about my finding, how I was able to get a product for free by changed the value quantity number to negative. So let’s started.

The target was an Email Infrastructure for Internet Business. There was a lot of feature you can buy such Email Automation, DKM & SPF, Landing page builder, Shutterstock images, etc. I didn’t get permission to reveal the target, so let’s call as target.com.

Hunt a Bugs

First off I registered to the website and then trying the reset password feature for finding a Host Header Injection for escalate to Account Takeover, but I have no luck. So I started to find on the dashboard, I had tried find many bugs such IDORs, CSRFs, XSS but sadly no luck again D:

Then I found the page that I can buy a product, I choosed Shutterstock Images

As you can see on image above, you can buy 1 Shutterstock Premium Image for 50.000 IDR or 3.49 USD. There was a lot of payment method, I choosed Go-Pay payment method and clicked on Buy This Product and I got this request

Body Request

You can see there was an item_qty parameter with the value 1 . I was changed the value from 1 to -1 and see what happened next

Changed the value to negative by adding (-)

Paid without paying

The program processed that and will detected as valid order. The status will automatically changed to PAID without paying.

And then I reported this vulnerability to their team and I was rewarded with a $100 bounty even though the company isn’t have a bug bounty program.

rewarded $100

Reference :

https://allen.gerysena.com/merubah-kondisi-bilangan-hingga-manipulasi-jutaan-koin/

Follow me on twitter :

https://twitter.com/0xrdnzx