Business Logic Errors: Price Manipulation Allow Attacker Get Discount at HoopsIndonesia.co.id

4 min readSep 27, 2022

Finally, after being busy at college, I was able to write this bug bounty article. As information, this article contains web exploitation and cryptography, so if you are a CTF player, maybe the contents of this article relate to you because there is encryption that is often used in CTF competitions.

I discovered this vulnerability in 2020, but back then there was no post data encryption. I tried it again in July 2022 and the security system is getting stronger by adding encryption.

What is a Business Logic Errors?

Business logic or application login is the core logic of your website. Business logic defines how data can be created, stored and modified. It is the features that are specific to your business and usually developed for you.

Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. There are various cases where these errors can result in enormous business losses.

Summary

I found this vulnerability in the add to cart feature, when I captured the request I found something interesting, namely JSON containing parameter data and encrypted values, at first I thought the encryption was using base64 but when I tried to decrypt it turned out to be nothing. Before testing, I did some research to find out what technology this web uses and I found that this web uses ReactJS, as far as I know, we can see the source of ReactJS by accessing the sources in the inspect element. It didn’t take long for me to get the encryptionFunction.js file which contains information such as what encryption was used, it turns out that the encryption uses the AES algorithm and there is also a key to decrypt the encryption earlier. After decrypting the AES encryption earlier I got data in the form of JSON containing prices and other information, not only that JSON data can also be manipulated so I can change prices, then I tried to order the shoes, and yes 2 days later the shoes arrived at my house.

Step to reproduce:

I accessed the shoe product preview page.

2. I tried to capture the request and clicked the add to cart button.

3. When i try to decrypt the encrypted value in JSON key `data` with base64 it fails.

4. I got information about the encryption algorithm used, namely AES mode CBC and also the key.

5. After that I tried to decrypt the value post data that was encrypted earlier and got JSON data containing price information and others.

6. I changed the discount to 99% and it worked!

My shoe delivery receipt is being processed. — Payment

FINALLY I GOT AN INVOICE FOR THE SHOES!

Mitigation

Thank you to Hoops Indonesia for responding, I hope your application security is always maintained!

Timeline:

30/07/2022: Bug reported.
05/08/2022: I returned the shoes to the nearest shop & the owner gave me a bounty.
08/08/2022: The owner gives a certificate of appreciation.