The Bug That Kept On Giving :: PaymentBypass :: QR CODE
How we got there
A story of a bug i found through QR code Response Manipulation.
I was scrolling my twitter feed when i can across a tweet from @intigriti about paywall bypass, and i remembered i had a target that had payment bypass inscope.
I went a head and visted the program xboy (why). xboy had a website offering an option to buy e-giftcards. https://xboy.be/nl/xboy-gift that would redirect you to https://gifts.xboy.be This process contains a flow like;
select gift card -> get taken to cart -> fill in all the details -> Verify info -> Select payment (By QR Code) -> get qr code -> scan qr to pay (Vulnerable area)
Reproduction steps
- Visit https://gifts.xboy.be
- Select a gift card
- get taken to cart -> fill in all the details -> Verify info -> Select payment (QR code) -> get qr code -> scan qr to payment
- Open burp and intercept request with the payment info
"POST /rest/Payment/v1/status?"
and json data
{"paymentData": "DATAAAA"}
- Select burps do intercept response option.
- Intercept response which should contain a json parmeter with
{"payload": "","resultCode":"pending","type":"complete"}
.Change the response from
{"payload": "","resultCode":"pending","type":"complete"}` to `{"payload": "","resultCode":"complete","type":"complete"}
to
{"payload": "","resultCode":"complete","type":"complete"}
- Now you should recieve a green check to show payment complete and get redirected to
- After several minutes you should recieve email confirmation of your purchase.
I made a report and sent it to the program and after a few days it got accepted as a high severity and Bounty €€€ awarded.
Contacts
@github @twitter @LinkedIn @Intigriti @hackerone_old
🔥🔥: 0