Parameter Tampering ₹→$

Suneet Singh
2 min readSep 26, 2020

--

Hell0 W0rld,

First, What is the Parameter Tampering?

As the name suggests Parameter Tampering is the tampering or manipulation of a parameter that is exchanged between the client and server through HTTP requests and responses, parameters carry information such as currency type, country code, price, permission, etc. which are used to increase the functionality of a website and to modify application data.

Simply put parameters carry specific data to-and-fro client and server and if a manipulated data is sent to the server and the server did not verify that data or process it securely it can cause an application to be manipulated in a malicious manner, this is known as Parameter Tampering Attack.

Now straight to the vulnerability,

I was specifically looking for parameter tampering vulnerabilities on a sports-based e-commerce website using burp suite. I was trying basic amount manipulation by changing the amount of money, but it didn’t work as there were some verifications at the backend which keep correcting the amount on checkout.

So I tried changing the currency parameter from INR to USD which changed the checkout amount from INR(Indian Rupees) to its USD(US dollar) equivalent but -

-it did not changed the currency-type from INR to USD at checkout i.e., on checkout it was still showing INR instead of $ USD but with the manipulated USD equivalent price of that product and I was able to check out with manipulated price.

Parameter
Original Prices
Manipulated Amount

I reported this bug they fixed it and it got accepted under P3. Hope you people find this writeup informative any feedback is welcomed.

🙏

--

--

Suneet Singh
Suneet Singh

Written by Suneet Singh

𝙰 𝙲𝚘𝚖𝚙𝚞𝚝𝚎𝚛 𝚂𝚌𝚒𝚎𝚗𝚌𝚎 & 𝙴𝚗𝚐𝚒𝚗𝚎𝚎𝚛𝚒𝚗𝚐 𝚐𝚛𝚊𝚍𝚞𝚊𝚝𝚎 𝚙𝚊𝚜𝚜𝚒𝚘𝚗𝚊𝚝𝚎 𝚊𝚋𝚘𝚞𝚝 𝙲𝚢𝚋𝚎𝚛 𝚂𝚎𝚌𝚞𝚛𝚒𝚝𝚢.