Payment & Pricing Bypass¶
Manipulate payment flows via price tampering, negative quantities, order ID swapping, or state machine abuse.
TL;DR¶
Or intercept payment callback and replay success.
Detection¶
Map the Flow¶
- Add to cart → Checkout → Payment → Confirmation
- Identify client-controlled values: price, quantity, plan_id, order_id, currency
- Find state gaps: failed payment → feature access
- Check callback mechanisms: webhooks, return URLs
Key Areas¶
- Checkout forms with hidden price fields
- Plan/subscription selection
- Discount/coupon application
- Payment provider integrations
- Order confirmation callbacks
Exploitation¶
Price Tampering¶
Direct Manipulation:
Hidden Fields:
Negative Quantity Attack¶
{
"items": [
{"name": "Burger", "price": 1200, "quantity": 2},
{"name": "Pudding", "price": 900, "quantity": -1}
],
"total": 1870
}
$0 Order:
{
"items": [
{"name": "Premium", "price": 4999, "quantity": 1},
{"name": "Discount", "price": 5000, "quantity": -1}
]
}
Plan ID Enumeration¶
Order/Payment ID Swapping¶
1. Start checkout for $1.99 → get order_id=ABC
2. Start checkout for $149 → intercept
3. Replace order_id with ABC
4. Pay $1.99, receive $149 plan
Payment State Machine Abuse¶
1. Start premium subscription (insufficient funds)
2. Payment fails → notification received
3. Increase seats (also fails)
4. Cancel subscription
5. Premium features remain accessible!
State bug: PAID → FAILED → CANCELLED but features stay ACTIVE
Currency Arbitrage¶
GET /orders/new?p=214&cur=usd
# Original: €33,600
# Modified: $33,600 (same number, different currency)
Response Tampering¶
// Original
{"status": "failed", "payment_complete": false}
// Tampered
{"status": "success", "payment_complete": true}
Callback/Webhook Manipulation¶
UI State Cache Abuse (Uber Surge)¶
1. Open ride request in surge area (1.3x)
2. Navigate map to non-surge area
3. Click "Set pickup" (caches non-surge state)
4. Change pickup back to surge area
5. Pay non-surge price despite surge indicator
Trial Racing¶
# Race the "Get free trial" button
for i in {1..50}; do
curl -X POST /trial/claim -H "Cookie: session=..." &
done
# 1 trial → 6 trials
Leading Space Bypass¶
Space prefix bypasses subscription check if trim() happens AFTER validation.
Bypasses¶
Client-Side Only Validation¶
// Frontend: if (price < 0) throw "Invalid";
// Backend doesn't validate
curl -X POST /checkout -d 'price=-100'
Feature Flag Persistence¶
1. Features enabled optimistically during payment
2. Payment failure doesn't sync disable
3. Cancel before background sync runs
Real Examples¶
| Target | Bug | Impact |
|---|---|---|
| OLO/Upserve | Negative quantity | Reduced order price |
| Zomato | Plan ID 147 | Free premium |
| Order ID swap | Reduced payment | |
| Starbucks CH | Callback craft | Free top-up |
| Uber | Surge cache | 23% discount |
| Lemlist | Failed payment state | Premium bypass |
Tools¶
| Tool | Purpose |
|---|---|
| Caido | Intercept, tamper parameters |
| Param Miner | Hidden parameter discovery |
| Intruder | Plan ID/price enumeration |
Testing: