Disclaimer: This article is for educational purposes only. The techniques described should only be used on systems you own or have explicit permission to test. Unauthorized price manipulation is illegal and unethical.
Hi everyone, how are you? I hope you guys are well. I'm RyuuKhagetsu, this is my article in English, sorry if there are any mistakes. I hope you enjoy my article.
It all started when I wanted to study for my exams. Before paying for it, I turned on Burp Suite to see the data requests sent, hoping to find something good for me.
E-commerce learning platform showing course pricing
Discovering the Price Parameter
From intercepting the request, I found the "harga:39000" parameter which
represents the initial price of the learning course I wanted to buy. This parameter caught
my attention immediately as it seemed to be directly controlling the price display.
E-commerce learning platform showing course pricing
Testing Parameter Tampering
I used the Repeater function in Burp Suite to modify the parameter and observe the server's response. This is where the magic happened!
# Original request parameter
POST /checkout HTTP/1.1
Host: learning-platform.com
Content-Type: application/json
{
"course_id": "12345",
"harga": 39000
}
I changed the parameter from "harga:39000" to "harga:1000" and got
a 200 OK response. I was very happy, and when I checked my catalog, the
price had actually changed!
# Modified request parameter
POST /checkout HTTP/1.1
Host: learning-platform.com
Content-Type: application/json
{
"course_id": "12345",
"harga": 1000
}
E-commerce learning platform showing course pricing
Critical Vulnerability Found: The server accepted the modified price parameter without any server-side validation, allowing me to change the course price from IDR 39,000 to IDR 1,000!
E-commerce learning platform showing course pricing
Impact Assessment
This vulnerability demonstrates a critical business logic flaw where:
- Financial Loss: Attackers could purchase premium courses at drastically reduced prices
- Revenue Impact: Mass exploitation could lead to significant financial losses for the platform
- Business Integrity: Price manipulation undermines the platform's pricing model
- Easy Exploitation: No special tools required beyond basic web proxy software
Responsible Disclosure
I immediately contacted the website administrator and reported this critical vulnerability through their responsible disclosure process.
Timeline
📅 01 May 2022: Vulnerability reported to admin
✅ 01 May 2022: Got feedback confirming the report
🎉 02 May 2022: Received bounty reward for the finding
Note: The developer gave me permission to disclose this report without mentioning their platform name or specific details that could identify the system.
Prevention Measures
To prevent similar price manipulation vulnerabilities, developers should implement:
- Server-Side Validation: Always validate prices on the server side, never trust client-side data
- Database-Driven Pricing: Fetch prices from secure database rather than accepting them from client requests
- Session Management: Use secure session tokens to track legitimate pricing data
- Input Sanitization: Validate and sanitize all user inputs before processing
- Business Logic Testing: Regularly test critical business functions for manipulation vulnerabilities
Lessons Learned
This experience taught me several important lessons:
- Always test business-critical parameters during security assessments
- Simple parameter manipulation can lead to significant vulnerabilities
- Responsible disclosure builds trust with organizations and the security community
- Even basic tools like Burp Suite can uncover high-impact vulnerabilities
Conclusion
I forgot my original goal of changing the price and buying the lessons I had changed the price for, but it's okay for me. The learning experience and the bounty reward were more valuable than the discount I could have gotten!
This case demonstrates how critical business logic vulnerabilities can be discovered through systematic testing and curiosity. The key is to always question how applications handle sensitive data and to test the boundaries of their validation mechanisms.
Maybe that's all from me, hopefully it can be a reference for you and sorry if there are things that are not clear. I'm RyuuKhagetsu, see you in the next article.
