How did I order food worth 1000₹ for 1₹?
It all started with this blog about how Kanishk Sajnani (an Ethical Hacker) booked a flight ticket to USA for 1₹. As usual, I started collecting a list of food ordering websites in Chennai and ruled out the mature ones since the probability of vulnerabilities are less when compared to new ones. So I targeted a pretty new website that has good traffic. I am a freelance JavaScript Developer and I’ll be sharing my experience on how did I ordered food for 1₹ and steps to seal the vulnerability.
Let’s dig in
I opened an account and checked the flow of the app, starting from filling the profile details till checking out payment. The website was built using PHP, with that excitement straight away fired BurpSuite and opened the site in Firefox browser. Then I searched for a popular restaurant that is near to my house and added my favourite dish a.k.a Biriyani to the cart.
I knew only one method that could allow me to play with the price parameters and that was BurpSuite. So I started changing the price values and found out that only a positive value will work. The cart price was then changed to 1₹ it was exactly 980₹ (inclusive of all taxes) before the modification.
Usually, any properly developed shopping app won’t trust any values that are coming from the client side or will have a checksum hash value of the request data so that the values are not altered. Fortunately, there was no checksum hash and the app was using the values from the client side instead. On the payment page, the amount was 1₹ and I paid the price with payTM wallet. This clearly shows they haven’t implemented any validations for the items in the shopping cart.
I received an SMS as order confirmation and the amount mentioned was 1₹. I thought the restaurant person or the delivery boy might get suspicious on seeing the bill. To my surprise, they didn’t even get suspicious or raised a complaint with the software company who maintains it for them.
To make the above simple hack ineffective, one can checksum hash the API request so that we can be sure that there is data is unaltered by the hacker. Another way is to never trust data that is coming from front end (client side).
Fun part begins
After the lunch, I started looking out for other vulnerabilities. I landed upon login page of the admin portal of testing sub-domain (E.g. test.xyz.com ). On opening the admin site source code I found some admin page URLs in the <a> tags that were commented. So I tried some of the links test.xyz.com/customers, /coupons, /restaurants ..etc.
The admin portal should be kept secure because anyone who gets access to the admin will control the entire site. To my surprise, none of the admin pages were authenticated except the login page and linked to production database…WTF?. Anyone with the link can gain access to the admin portal. Inside admin portal, one can get all the details regarding customers, bills, coupons, restaurants, deliveries, pickups,..etc. This was mainly due to improper implementation of authentication.
I sent a mail regarding the vulnerabilities I found on the website to the support team. I was also ready to pay the amount of the food which I ate previously. But the response was quite a bit different than I expected. They sent a response mail saying that they don’t have enough time to resolve my query. 😧 Vulnerability was exposed a year back, till now they haven’t fixed these bugs.
Thanks for reading through 🙌🏼. If you found this article useful, please applaud using the 👏 button and share it through your circles.
✉️ Subscribe to CodeBurst’s once-weekly Email Blast, 🐦 Follow CodeBurst on Twitter, view 🗺️ The 2018 Web Developer Roadmap, and 🕸️ Learn Full Stack Web Development.
