Cyb3r7hr347's Blog
Go back

Cheesy Does It - Broken Logic in Payment Processing

Writeup for the “Cheesy Does It” daily challenge on Bugforge.io.

Table of contents

Open Table of contents

Challenge Overview

The first thing I did was use the application like a normal user, exploring its core features to understand the functionality before looking for vulnerabilities.

Application Analysis

The application allows users to register an account and order pre-made pizzas or build custom ones.

Cheesy Does It Application Overview

Initial Testing Attempts

I started with some common attack vectors:

Mass Assignment Attack: I tried adding "role": "admin" to the POST /api/register request during the registration process. The user was created successfully, but the default user role was assigned.

IDOR Testing: I attempted to access other users’ orders by manipulating order IDs, but this also didn’t work as the application properly validates authorization.

Vulnerability Discovery

Broken Logic in Payment Processing

While analyzing the HTTP requests in Caido, I noticed something interesting about the POST /api/orders request. The price of the order is being defined client-side within the request body rather than being calculated server-side. This suggests the client is responsible for determining the final payment amount.

Here’s the original request structure:

POST /api/orders HTTP/1.1
[...]

{
  "items": [
    {
      "pizza_name": "Pepperoni Classic",
      "base_name": "Hand Tossed",
      "sauce_name": "Classic Tomato",
      "size": "Medium",
      "toppings": [
        "Pepperoni",
        "Extra Mozzarella"
      ],
      "quantity": 1,
      "unit_price": 12.99,
      "total_price": 12.99,
      "id": 1768207907541
    }
  ],
  "delivery_address": "test",
  "phone": "test",
  "payment_method": "card",
  "notes": ""
}

Exploitation

I modified the total_price parameter from 12.99 to 1 and sent the request again. The server responded successfully, indicating that the order was created with the manipulated price.

The vulnerability lies in the application trusting client-side price calculations instead of performing server-side validation and computation of the final order amount.

Flag Retrieval

After placing the order with the manipulated price, I checked the order history. The order appeared successfully, and within the order details, the flag was revealed.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
Tanuki - IDOR Vulnerability
Next Post
APICrash - Race Condition Vulnerability