Vulnerability Summary
The Online Shopping System web application is vulnerable to client-side parameter manipulation, allowing attackers to bypass front-end protections and submit arbitrary order data. By directly sending crafted HTTP POST requests to the checkout endpoint, an attacker can set the order's total payment amount to zero (or any value), resulting in unauthorized purchases and loss of revenue.
Affected Component
- Endpoint:
/checkout.php
- Impacted tables:
orders_info, order_products
- Version: All versions up to 2025-10-09 (latest commit on master branch)
Vulnerability Details
The checkout process relies on hidden form fields and client-side JavaScript to collect and validate order details (product name, quantity, price, total count, etc.). However, the server-side code (checkout.php and checkout_process.php) trusts these client-supplied values without further validation or recalculation against the actual cart or product database.
An attacker can intercept and modify the POST request sent to /checkout.php, changing the values of amount_X and quantity_X parameters to arbitrary values, including negative numbers or zero. The server will accept these values and record them in the database, resulting in orders with a total amount of zero or less.
Example Exploit Payload
POST /checkout.php HTTP/1.1
Host: web.online-shopping-system.orb.local
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=...
cmd=_cart&business=shoppingcart%40puneeth.com&upload=1
&total_count=1
&item_name_1=Samsung+galaxy+s7+edge
&item_number_1=1
&amount_1=[CAN BE CHANGED]
&quantity_1=[CAN BE CHANGED]
&total_count=2
&item_name_2=iPhone+5s
&item_number_2=2
&amount_2=25000
&quantity_2=1
&return=...
¬ify_url=...
&cancel_return=...
¤cy_code=USD
&custom=26
&login_user_with_product=Ready+to+Checkout
Key points:
amount_1 and quantity_1 can be set to any value, including negative or zero.- The server will record the order with a total amount of $0 (or less).
- No server-side validation or recalculation is performed.
Impact
- Attackers can place orders for free or with negative totals.
- Financial loss and inventory manipulation.
- Integrity of order data is compromised.
- All subsequent operations (viewing orders, database queries) reflect the manipulated values.
Steps to Reproduce
- Add items to cart as a normal user.
- Intercept the POST request to
/checkout.php using a proxy tool (e.g., Burp Suite).
- Modify
amount_X and/or quantity_X parameters to zero or negative values.
- Submit the request.
- The order is created with the manipulated total amount.
- Query the database (
orders_info, order_products) to confirm the zero/negative totals.
Vulnerability Summary
The Online Shopping System web application is vulnerable to client-side parameter manipulation, allowing attackers to bypass front-end protections and submit arbitrary order data. By directly sending crafted HTTP POST requests to the checkout endpoint, an attacker can set the order's total payment amount to zero (or any value), resulting in unauthorized purchases and loss of revenue.
Affected Component
/checkout.phporders_info,order_productsVulnerability Details
The checkout process relies on hidden form fields and client-side JavaScript to collect and validate order details (product name, quantity, price, total count, etc.). However, the server-side code (
checkout.phpandcheckout_process.php) trusts these client-supplied values without further validation or recalculation against the actual cart or product database.An attacker can intercept and modify the POST request sent to
/checkout.php, changing the values ofamount_Xandquantity_Xparameters to arbitrary values, including negative numbers or zero. The server will accept these values and record them in the database, resulting in orders with a total amount of zero or less.Example Exploit Payload
Key points:
amount_1andquantity_1can be set to any value, including negative or zero.Impact
Steps to Reproduce
/checkout.phpusing a proxy tool (e.g., Burp Suite).amount_Xand/orquantity_Xparameters to zero or negative values.orders_info,order_products) to confirm the zero/negative totals.