In this tutorial, we will be discussing how to exploit popular payment systems to buy goods at a discount. We will be focusing on web code as part of a web application penetration testing series. Browsers generally allow us to edit, change, or remove information as we submit them into the web application system for processing. This includes inputting into a database, updating the database, or removing from the database. This is true for shopping carts, e-commerce sites, social media platforms, and even bank accounts.
Moving on to lesson number two, we will be trying ourselves in an online store. We will be ordering a new TV and attempting to buy one or more TVs at a lower price. We have the quantity, price, and remove button, which helps us add in the subtotal. We can then click on checkout and get the following response, “This is too expensive, you need to buy at a cheaper cost.”
To be able to amend information that is being submitted from the browser into the web application system, we can make use of web developer to help us launch the attack. We can go ahead and click under manual and click under web developer and click onto network or use the shortcut ctrl shift e. We can then clear all and click on checkout, which will give us a post method and a status 200. We can see the parameters such as quantity, the total number, and the response, which is “This is too expensive, you need to buy at a cheaper cost.”
We can now do a right-click on the left side and click under edit and resend. We can look at the request headers and all the different information. We have the request body, which includes qty for quantity and total. We can change and amend any of the values under total. In this case, we will use 29.99. We can then send it and get the new task, which says “Feedback well done! You just bought a TV at a discount.”
In conclusion, we were able to alter the way that we were sending data to and fro between the browser and the web application system. We hope you learned something valuable in today’s tutorial. If you have any questions, feel free to leave a comment below, and we will try our best to answer your queries. Remember to like and share this article.