Price Manipulation Bypass Using Integer Overflow Method

Introduction

The website that I am doing bug bounty is private so let’s just call it redacted.com. Redacted.com is an e-commerce website that allows users to buy items from redacted.com

Integer Overflow

During my recon, I noticed that wappalyzer says that redacted.com is using PHP as its programming language. In PHP, there are several data types such as String, Integer, Float, etc. Signed integers in PHP has limits on how big the number it can store. This limit depends on the system itself (32-bit or 64-bit).

Exploitation

Let’s say Item A is 10$ each and Item B is 80$ each.

  1. I ordered 9223372036854775808 of item A.
  2. Upon submitting, the quantity becomes -9223372036854775808, proving the existence of the integer overflow bug.
  3. I ordered again 9223372036854775800 of item A so I will have -8 items of Item A in total.
  4. Now, my cart total is -80$
  5. I ordered 1 item of Item B (80$)
  6. Now, my cart total is $0.00
  7. At first, I thought that this was just a visual bug, and probably there is another checking in the server for negative quantities. To be sure that this is not a visual bug, I checked out my cart and paid using paypal. To my surprise, the bug worked and I paid my items for FREE.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store