Using Burp Suite Intruder I repeated my failed payment request 10,000 times, starting from “target:payments:packages:1” and incrementing the ID up to “target:payments:packages:10000”. I was curious to see if I could find any other valid package IDs and, if so, what prices and payment terms they were linked to. The thing that caught my attention was the numerical ID in the package_id parameter.
It also confirmed that the subscription was monthly. The amount was the monthly value of the subscription, £19.99 in pence. In the response I received the string “term”:”monthly”,”price”. I noticed that the request to buy with my credit card transaction token included the string “package_id”:”target:payments:packages:1205″. The subscription I had attempted to purchase via the website was the platform’s premium service at £19.99 per month. The payment failed, of course, and so I went back to look at all of the requests and responses captured in Burp through this process. While hacking on a private SaaS bug bounty program, I went through the new user sign-up funnel and entered a test card at the payment page.
When the payment fails (or succeeds!) I look through all of the requests and responses for the entire process, searching for anything which looks interesting. Whenever I’m bug hunting on a target that takes payments, I always try to buy something using a test credit card number as described in my write-up on Cracking Encrypted Credit Card Numbers. I found a way to alter a premium subscription service price and bought it for a penny.
0 kommentar(er)
