The Bug That Kept On Giving :: PaymentBypass :: Eposed Return Url

How we got there

A story of the second bug i found after my Initial payment bypass via the QR CODE.

It was the same program xboy (why). xboy had a website offering an option to buy e-giftcards. https://xboy.be/xboy-gift that would redirect you to https://gifts.xboy.be

This process contains a flow like; select ticket -> get taken to cart -> fill in all the details -> Verify info -> Select payment (QR Code) -> get qr code -> scan qr to pay (Vulnerable area)

Reproduction steps

1. Visit gifts.xboy.be
2. Select a ticket
3. get taken to cart -> fill in all the details -> Verify info -> Select payment (QR Code) -> get qr code -> scan qr to payment
4. Open burp and intercept request with the payment info GET /v1/status?authorisation=[id here]&transaction=[id here] and empty body
5. Select burps do intercept response option.
6. Intercept response which should contain a json parmeter with

{"Response":[{"IssuerTransaction":{"uuid":"[uuid]","created":"[time stamp]","updated":"time stamp","name":"xboy","description":"1291","amount":{"currency":"USD","value":"13.37"},"status":"CREATED","transaction_id":"[id]","purchase_id":"[alphanumeric id]","return_url":"https://shop.xboy.be/complete.shtml?sessionId=id&pspEchoData=[data]&ec=[data]","qr":{"qr_data":"[base64 image data]","qr_content_type":"image/png"}}}]}

7. Extract return_url

["return_url":"https://shop.xboy.be/complete.shtml?sessionId=id&pspEchoData=[data]"]

8. Now you should recieve a green check to show payment complete
9. After several minutes you should recieve email confirmation of your purchase

I made a report and sent it to the program and after a few days it got accepted as a high severity and Bounty €€€ awarded.

Contacts

@github @twitter @LinkedIn @Intigriti @hackerone_old