Bug on Coderbounty - Vulnerability Name : Parameter Tampering (Allows user to tamper the amount that he needs to pay) Vulnerable URL : http://www.coderbounty.com/post/?url=http%3A%2F%2Fgithub.com%2FCoderBounty%2Fcoderbounty%2Fissues%2F165 Vulnerable Parameter (Tamperable) : grand_total Vulnerablity : By tampering the parameters while they are passed during the payment method we can change the price to be paid by the attacker as desired by the attacker. How to reproduce this issue: HERE I AM GIVING THE EXACT STEPS TO REPRODUCE THIS XSS VULNERABILITY 1). Open the browser and burpsuite and go till the payment options. 2). Go to the url paste this and intercept the request during forwareding the request. 3). Now select Paypal method to pay - keep intercepting and forwarding the request in burp-suite till you find the parameter 'grand_total'. 4). Find and modify the 'grand_total' parameter to the desired amount you want to tamper with. 5). Now login with your Paypal account to pay the grand_total. 6). Now you can find the amount payable that is the grand_total is being tampered to the modifies price in the 'grand_total' parameter . 7). Now an attacker can pay the modified tampered value amount of maney which is the tampered value and get his desired payment done. POC : screenshort attached in attachments.



Domain: http://www.coderbounty.com/post/?url=http%3A%2F%2Fgithub.com%2FCoderBounty%2Fcoderbounty%2Fissues%2F165
Tweet Share

Reported on coderbounty.com

Total # of issues reported = 50

Reported by mrhacker14012001

Total Points of mrhacker14012001 = 13

Browser Version: 60.0

Operating System: Linux

OS Version:

Bug Type: Security
Status: open
Added on: May 17, 2019, 9:51 a.m.

Screenshot:



OCR Results:

OCR not installed

Comments:

No comment added yet. Be the first to comment!