Open in app

Sign in

Write

Sign in

Logic Bugs in Payment Gateway

Spectat0rguy
4 min readJust now

--

Image by Freepik

Finding bugs in Payment Gateway is more rewarding than you think , because It is the most important part of Web Application that generates revenue for them and If any logic flaw happens to be in the payment gateway then it can cause a lot of unimaginable damage , So the company can’t overlook a single vulnerability. In this post we are going to explore the logic flaws AKA Vulnerabilities found in payment gateways.

Before that you need to understand :

How payment gateways are configured in web application?

Looking at the current situation there are only 4 methods used by developers to integrate payment gateway in web applications as follows :

  1. Using Third Party Payment Gateway by Redirecting users.
  2. Integrating Third Party Payment Gateway in IFRAME on Application.
  3. Using HTML Form that makes Cross-domain Post request to Third Party Gateway.
  4. Accepting Card details then making Post request to payment gateways API.

So Attack Surface for this type of functionality is Intercept and Redirect.

Interecept :

By using this method when the web app is making a Post request to Payment Gateway during that we will intercept the Post request and tamper with the data in post request (for Ex. Changing the Amount from $10 to $1) then Sending that to Gateway. So, This bug is called ‘Tampering’ or ‘Price Manipulation’ and You can tamper with Inventory that we will call ‘Inventory Manipulation’.

Top 10 Overlooked Business Logic Flaws in Web Applications

Uncovering Subtle Vulnerabilities That Attackers Exploit to Break Your Systems

bitpanic.medium.com

Redirect :

We can exploit it by using the techniques used to exploit Open Redirect. By simply replacing the Gateway url with Attacker url you can redirect the users to Attackers Website.

Open Redirect vulnerability can occur if Validation of Url is not performed.

These are Attack Surfaces for Payment Gateways.

So , You got the catch on basics and now let’s dive into more interesting stuff :

Where can you find the opportunity to Exploit this flaw?

  • E-commerce Websites
  • Subscription Websites

So , On to the Main Course

Following are Logic Flaws you can use for Exploitation :

1. Discount & Coupon Code :

During Checkout there is functionality for Applying Discounts and Coupon codes. You can use this by :

  • Reusing Expired/Invalid Codes: Testing if old or invalid codes are still accepted due to server-side flaws.
  • Stacking Discounts: Applying multiple codes together when the system should allow only one.
  • Unlimited Usage: Exploiting "one-time use" codes by bypassing usage checks.

2. Payment Amount Manipulation :

You can tamper with Payment Amount by Capturing the Post request using Burp Suite. To use this method effectively you should Do the following :

  • Changing Amount in Requests: Intercepting API requests and modifying the payable amount.
  • Discount on Non-Discountable Items: Applying discounts to restricted products.
  • Modifying Shipping Fees: Setting shipping fees to zero or negative values.

3. Payment Token and Transaction Validation :

This Logic Flaw occurs between the application and gateway. Following are the potential flaws :

  • Token Replay Attacks: Reusing a valid payment token to complete multiple transactions.
  • Skipping Validation: Directly calling the success endpoint without completing the payment.
  • Forged Payment Responses: Manipulating server responses to mark an order as paid.

4.Payment Flow Redirection :

It occurs when users are redirected to external payment gateways.

Potential Issues :

  • Unvalidated Return URLs: Manipulating redirection to skip confirmation steps.
  • Third-Party API Exploits: Exploiting integrations with weak parameter validation.
  • Partial Payments: Completing only a portion of the required payment due to misconfigured systems.

5. Installment and Subscription Payments :

It happens during the recurring of a Subscription

  • Skipping Installments: Preventing further charges by canceling or modifying subscriptions.
  • One-Time Payments Instead of Subscriptions: Exploiting the system to charge a one-time fee instead of recurring payments.

6. Currency and Exchange Rate Handling

It happens when a user try to convert payment amounts across currencies.

Potential Issues:

  • Incorrect Exchange Rates: Exploiting mismatched or outdated currency conversion rates.
  • Currency Rounding Issues: Manipulating values to pay less due to rounding errors.

7. Gift Card or Wallet Recharge Systems

When users add funds to a gift card or wallet system.

Potential Issues:

  • Overcharging Wallets: Crediting more funds than paid for.
  • Infinite Balances: Exploiting logic flaws to increase wallet balance without payment.

— — — — — — — — — — — — — —

Obviously there are more logic flaws than you think , but I should stop here , because I wrote too lengthy. Maybe I should cover more flaws in my newsletter so consider subscribing to My Newsletter :

Spectatorguy's Newsletter

🔒 Your ultimate newsletter to mastering bug bounty & cybersecurity, one hack at a time! 🐞💻

spectatorguy.beehiiv.com

and also you can follow me on X :

https://x.com/spectat0rguy?t=bp6JxuQNWR

Consider Buying me a Coffee bcoz I am addicted to Caffeine ☕ :

Spectat0rGuy

✍🏻Writing about various tools 🔧used in Cyber Security 💻 Industry.

buymeacoffee.com

Cybersecurity
Technology
Bug Bounty
Bug Bounty Tips
Programming

--

--

Spectat0rguy
Spectat0rguy

Written by Spectat0rguy

74 Followers
1 Following

Influencer of Cyber Sec & Bug Bounty | Blogger | Entrepreneur

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams