A story of a bug i found through QR code Response Manipulation.
I was scrolling my twitter feed when i can across a tweet from @intigriti about paywall bypass, and i remembered i had a target that had payment bypass inscope.
I went a head and visted the program jij0 (why). jij0 had a website offering an option to buy e-giftcards. https://jij0.be/nl/jij0-gift that would redirect you to https://gifts.jij0.be This process contains a flow like;
select gift card -> get taken to cart -> fill in all the details -> Verify info -> Select payment (By QR Code) -> get qr code -> scan qr to pay (Vulnerable area)
"POST /rest/Payment/v1/status?"
and json data {"paymentData": "DATAAAA"}
{"payload": "","resultCode":"pending","type":"complete"}
.Change the response from {"payload": "","resultCode":"pending","type":"complete"}
to {"payload": "","resultCode":"complete","type":"complete"}
I made a report and sent it to the program and after a few days it got accepted as a high severity and Bounty €500 awarded.