crypt0g30rgy.github.io
The Bug That Kept On Giving :: PaymentBypass :: QR CODE
How we got there
A story of a bug i found through QR code Response Manipulation.
I was scrolling my twitter feed when i can across a tweet from @intigriti about paywall bypass, and i remembered i had a target that had payment bypass inscope.
I went a head and visted the program jij0 (why). jij0 had a website offering an option to buy e-giftcards. https://jij0.be/nl/jij0-gift that would redirect you to https://gifts.jij0.be This process contains a flow like;
select gift card -> get taken to cart -> fill in all the details -> Verify info -> Select payment (By QR Code) -> get qr code -> scan qr to pay (Vulnerable area)
Reproduction steps
- Visit https://gifts.jij0.be
- Select a gift card
- get taken to cart -> fill in all the details -> Verify info -> Select payment (QR code) -> get qr code -> scan qr to payment
- Open burp and intercept request with the payment info
"POST /rest/Payment/v1/status?"and json data{"paymentData": "DATAAAA"} - Select burps do intercept response option.
- Intercept response which should contain a json parmeter with
{"payload": "","resultCode":"pending","type":"complete"} .Change the response from {"payload": "","resultCode":"pending","type":"complete"}to{"payload": "","resultCode":"complete","type":"complete"} - Now you should recieve a green check to show payment complete and get redirected to
- After several minutes you should recieve email confirmation of your purchase.
I made a report and sent it to the program and after a few days it got accepted as a high severity and Bounty €500 awarded.
