Price Manipulation Attacks – When You Don’t Get Paid

Posted by Webmaster - July 24, 2012 - Blog - No Comments

Price manipulation attacks are most common on custom shopping cart platforms or smaller shopping cart platforms. Most larger and more popular off-the-shelf programs don’t have this vulnerability. However, because the vulnerability isn’t on the server level and is relatively unknown outside of eCommerce, many programmers just don’t know to look out for it.

==> What Is It?

Shopping carts will often pass on price data in HTTP headers or through cookies. For example, the header might say something like “price=59&orderid=555319&custname=jamesbenyon.” The first variable being passed along is the price.

Because the price variable is being passed along by the end user’s browser, it’s not difficult at all for an attacker to change the value.

For example, the user could use software like Achilles to just change the data that’s being sent to the header. For example, the user could change the price variable to “price=1” and change your product to $1.

They’ll still be able to execute their order successfully. Their payment will be processed and most likely your fulfillment house will receive the order.

==> Uses in the Real World

This attack depends on the order not being caught before it gets sent out. It also depends on there being real value in the item being sent to make it worth the effort.

Generally, this type of attack works best against high volume websites where each order isn’t getting carefully checked. On a website that gets ten orders a day, most likely someone’s going to look at each order at some point in the day. On the other hand, a site that gets 300 orders a day is much more likely to let the order through.

Often times this attack will be executed at the end of a weekend, where fewer people will be in the office and a lot of orders will have built up over the weekend.

==> How to Protect Yourself against Price Manipulation

Protecting yourself from this type of attack is quite simple once you know to look out for it.

First, install some sort of double-check system. This system makes sure that the price the user paid was actually the price they’re supposed to pay.

You can also just remove the price variable from the HTTP headers and cookies entirely. Just have the item number in the HTTP headers and pull up the price from your server.

Price manipulation attacks are rare on larger systems, as they’ll have patched this security hole. If you’re building systems from scratch using custom software or using lesser-known builds, however, it’s a very common security hole. Though patching the hole can take time, it’s worth it. Otherwise you risk giving attackers almost free products.