Vulnerability Summary
This writeup documents a critical Business Logic Error (CWE-840) discovered in the payment flow of an event-driven e-commerce platform.
Censorship Note: To strictly protect the identity of the affected program, all identifiers, variables, grace periods, API paths, and internal mechanics have been abstracted or replaced with generic concepts (e.g.,
METHOD_A,/checkout/gateway). Any resemblance to a real-world platform is purely structural for the theoretical understanding of the flaw.
This writeup documents a critical Business Logic Error (CWE-840) discovered in the payment flow of an event-driven e-commerce platform.
The exploitation chained a session cart limit bypass with parameter tampering at the payment gateway level, allowing an attacker to reserve and entirely deplete an event's available stock without processing any real payment.
The legitimate reservation and payment flow dictated the following steps:
ZiadMomenThe bug was a Business Logic vulnerability that allowed users to access paid features while they were on a free plan.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3591764 by ziadmomen
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3507241 by aszx87410
How did you identify the values "method_free" and "method_deferred"
With other gift product
Log in to join the discussion.
Sign In