IDOR Attack modifies button parameters

ejunkie1 2017-09-12 15:59:26 UTC #1

Has anyone experienced problems with the existing e-junkie IDOR vulnerability that allows a hacker using a tool such as Burp Suite to modify button parameters including the price of an item that is sent to the payment processor? If so, do you have a solution? In my case, using 2checkout, e-junkie sends out the software activation code to the hacker before 2checkout completes their fraud testing. As a result, a bogus price of $0.01 is accepted and the software code is sent before the fraud is detected.

Multiple problems:

1) The price is successfully manipulated by the hacker using Burp Suite and sent to 2checkout and accepted. This is due to the IDOR vulnerability.

2) E-junkie and 2checkout are not tightly integrated which allows the order to be fulfilled (i.e. the activation code is emailed to the hacker by ejunkie) before the 2checkout fraud check is completed.

E-junkie_Guru 2017-09-12 21:52:43 UTC #2

Development has found the bug that allowed a mismatched price check to pass for 2Checkout (2CO), so they have now fixed that in our live system. They will also be looking to upgrade our 2CO integration to use their latest checkout API, which would allow buyers to enter their card details in our own checkout screen (rather than redirecting them to a 2CO page for that as we do now), and I think that may also support 2CO's post-payment fraud checks as well. Thanks for reporting this bug to us.

ejunkie1 2017-09-12 22:03:18 UTC #3

Thank You!

SOLUTIONS FEATURES PRICING DISCOVER PRODUCTS CONTACT HELP DOCS DASHBOARD

Forum

E-junkie Community Forum

Share and learn in the E-junkie community.