2024 Web Application Critical

Business Logic Vulnerability

How manipulation of checkout quantities led to price bypass in e-commerce platforms.

Overview

Business logic vulnerabilities are flaws in the design and implementation of an application's business rules. Unlike traditional security vulnerabilities (like SQL injection or XSS), business logic flaws exploit how the application is supposed to work, making them particularly dangerous and often overlooked by automated scanners.

Type: Business Logic Flaw
Affected: Shopping Cart, Checkout Process
Impact: Price manipulation, financial loss
CVSS: 8.2 (High)

The Vulnerability

During our research, we discovered that several e-commerce platforms failed to properly validate the relationship between item quantities and total price calculations. Attackers could manipulate the quantity of items in their cart to negative values, resulting in a reduced total price or even a credit to their account.

Technical Details

The vulnerability existed because the application calculated the total price on the client-side and only performed basic validation on the server. By intercepting the request and modifying the quantity parameters, attackers could set quantities to negative numbers.

// Vulnerable code example
function calculateTotal(items) {
  let total = 0;
  items.forEach(item => {
    total += item.price * item.quantity; // No validation on quantity
  });
  return total;
}
      

Attack Scenario

Add items to shopping cart
Intercept checkout request using Burp Suite
Modify quantity parameter to negative number (e.g., -1)
Server calculates negative price, reducing total
Complete purchase at significantly lower price

// Intercepted request
POST /api/checkout HTTP/1.1
Host: example-shop.com

{
  "items": [
    {"productId": 123, "quantity": 1, "price": 100},
    {"productId": 456, "quantity": -1, "price": 50}
  ]
}
      

Impact

Financial loss for the merchant
Ability to purchase items for free or at reduced price
Illegitimate store credit generation
Reputational damage

Remediation

Always validate quantities on server-side
Ensure quantities are positive integers
Recalculate totals on server
Implement proper input validation
Use server-side session management

// Secure code example
function validateCheckout(items) {
  let total = 0;
  for (let item of items) {
    if (item.quantity <= 0 || !Number.isInteger(item.quantity)) {
      throw new Error('Invalid quantity');
    }
    const dbPrice = getProductPrice(item.productId);
    total += dbPrice * item.quantity;
  }
  return total;
}
      

Timeline

January 2024: Vulnerability discovered
February 2024: Responsible disclosure
March 2024: Patches released
April 2024: Public disclosure

Request security assessment