Bdtask Isshue Multi Store eCommerce Shopping Cart Solution Business Logic Flaw Allowing Insecure Price Manipulation

A critical business logic vulnerability has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution version 5. The issue arises in the checkout process, specifically within the '/submit_checkout' endpoint. The vulnerability allows for insecure manipulation of price-related parameters, 'order_total_amount' and 'cart_total_amount', in the POST request. The application fails to validate these client-supplied values against trusted server-side data, such as actual product prices stored in the database. As a result, attackers can submit orders at significantly reduced prices, leading to direct financial losses and inventory depletion, as products are shipped based on these fraudulent transactions.

Impact

Exploitation of this vulnerability allows attackers to manipulate order prices, purchasing items for much less than their actual value. This not only results in immediate financial losses but also disrupts inventory management, as products are dispatched based on these altered orders. Additionally, the vulnerability can be exploited on a large scale through automated scripts, exacerbating the financial impact on the business.

Reproduction

To reproduce this vulnerability, add a product to the cart and proceed to the checkout page. After filling in the required customer details, intercept the POST request sent to '/submit_checkout' using a web proxy like Burp Suite. In the intercepted request, modify the 'order_total_amount' and 'cart_total_amount' parameters to lower values, such as '1.00'. Forward the manipulated request to the server, which will accept the order at the reduced price and redirect the user to the homepage, logging the fraudulent transaction.

Remediation

It is recommended to implement server-side validation for all price-related fields in the checkout process. The backend should recalculate the total based on trusted data from the database, ignoring any client-supplied amounts. If a discrepancy is detected, the transaction should be rejected and logged as a security alert.