How I got a 1,999₹ worth jersey for 1₹ ?
If you know me at all, then you must know I am a huge fan of CSK (Chennai Super King) the cricket franchise in India, and now that they have had qualified for the playoffs I had to buy their jersey and support them with all I can. Well, that and I had a pretty bad final exams so that had me depressed too, so I had to hack something.
Let’s dig in
I started searching for online retails selling CSK’s jersey and I found a website let’s say example.com, which was selling the original jersey for 2000₹. I was happy that they were selling the jersey but for me it was way too expensive so I had to find a way to manipulate the price of the T-Shirt so that it costs me less. I knew only one method that could allow me to play with the price parameters and that was BurpSuite.
Burp mode on
I straight away opened BurpSuite and browsed example.com on my Firefox browser. I have carried out this process once before, check it out here.
How I got a 149$ t.v. subscription for 0.01$ — A blog that depicts how I manipulated the price of an online t.v. subscription website and got myself a next to free t.v. connection.
I decide to dive right in, but I was unsure as most of the payment gateways these days are pretty complex to break down and get into. I had my hopes up, first I created the user profile the normal way and went on till the last part where the payment was being carried out and then turned on proxy in BurpSuite to intercept the traffic. I started to go through the packet details being showed on the BurpSuite and this one struck out.
As soon as, I saw this I searched for the hash tag that could have render the whole hack ineffective ( there might be a way around but I don’t know it, if you know please comment down ), to my surprise and pleasure that was missing and so I got to work.
Playing or Paying the price
The first thing, I did after that was to change the value of the product from 1999 to -1999 just to check if that was working or not. It would have been great if it worked and trust me it used to do, then they would be depositing money in my account for buying the jersey from them. Well unlucky me it didn’t work for me and gave this error, got a similar error when I tried to change the transaction value to 0.
I was kind of expecting it, because the same happened with my last stint when I tried to change the price of the online t.v. subscription. So, no problem I re-iterated the whole process and went with the price of 1 INR which was allowed as I expected.
I turned off the intercept as soon as the change was made, cause most of the websites timeout your session, so even though you actually made the right changes but still won’t be able to carry this out.
From there it redirected me to the payment gateway where the new price tag was updated, which was 1 INR.
I carried out normal payment which was for just 1 INR, it was a bit too surreal cause I actually thought they would stop me somewhere in between the whole process but they didn’t. The order got confirmed and the jersey is set to arrive in a few days.
This was a serious mistake that I discovered, faults in payment gateway can cause huge damage to the company that is hosting the service. Way in which I would have stopped the hacker from changing the price of the jersey would have been to send a hash code along in the past request message so that even if the attacker does change the plain-text price tag that is present in the post request, he won’t be able to make required change to the hash thus rendering the attack ineffective and protecting the website from such scams.
If you enjoyed it please do clap and happy hacking!
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]