Information Kerala Mission Property Tax Payment Portal Payment Tampering Vulnerability

A critical vulnerability has been identified in the Kerala Government Property Tax Payment Portal, specifically in the Sanchaya application version 3.0.4. This vulnerability allows attackers to arbitrarily modify payment amounts during transmission from the client to the server. The portal fails to properly validate the payment amounts, enabling fraudulent payments and potential revenue loss for local governments. Attackers can intercept and alter payment amounts using a proxy tool like Burp Suite, manipulating the financial integrity of transactions.

Impact

Exploitation of this vulnerability allows attackers to tamper with payment amounts, leading to underpayment and financial loss for local governments. The manipulation of payment amounts can disrupt the revenue collection process, adversely affecting local government finances.

Reproduction

To reproduce this vulnerability, navigate to the Kerala Government Property Tax Payment Portal and initiate a payment. Use a proxy tool like Burp Suite to intercept the HTTP request containing the payment amount. Modify the payment amount to a lower value, such as 1 Rs, and forward the request to the server. After the payment is processed, intercept the success response to confirm that the modified payment amount was accepted and a receipt was issued based on the tampered amount.