Bypassing a payment gateway for FUN 🙂

Good day ppl ! This is Gnana Aravind, with a new write-up on how I bypassed the payment gateway of a website and made my payment successfully without paying even a single penny.Lets get started…

Few lines about Payment Gateway

When we buy something online, the last part will be completing the payment. Websites use multiple methods to make this done, like you may have seen some companies like Paytm, Razorpay, etc., services while doing the process. To know further about how payment gateway works, refer the article below.

Background Story

While I was browsing on internet this website came in a add, basically they were selling magazines on electronics and emerging technologies. Other than cyber security am very much interested in Electronics and Robotics, so I planed to make a subscription for a year and started the process for buying it. While doing the payment, my hacker mind started imagining why not to try bypassing the payment or to tamper the value of price.

Jumping into the Bypass

So quickly I fired up the burp and started intercepting the requests, then noticed that the site was using Paytm as the payment gateway. Firstly I tried parameter tampering on the price value, but nothing worked out as it was having a check sum validation at the end. But when I noticed the requests and responses during the process, after tampering the value, the webapp was returning a response with status code “330” and there were some false parameters. So quickly, I started modifying the false parameters to positive parameters, for example changed the code from 330 to 200. Finally I modified the response from this(In below screenshot the parameter was STATUS=TXN_FAILURE)

False Response (Returned from website)

to something like this

Positive Response (Modified by me)

WHOOLA !!!

The payment was successful and got a receipt stating that the order is successful and got a invoice like the one below.

The receipt received for successful payment

Now, I was just happy partially, coz the website was not having any VDP or Bug bounty Program. So I just sent a mail to the support mail id stating that I found a vulnerability on the website and they responded with the mail id of their IT team. Quickly I made a POC and reported it in a proper way.

After a couple of days they replied me and requested to guide them to solve the issue. I spent some time with them and finally the issue was fixed. As a token of appreciation they sent me a swag (Bluetooth speaker) and added me to the subscription list for the magazine for which I visited the website 😅.

Hope you enjoyed this write-up and gained something good. Visit my profile Gnana Aravind for my past write-ups. For doubts and guidance ping me in Instagram.

PS : Am building a community called Cyberonics where we will be organizing free workshops and webinars. Follow here Cyberonics to get updated about the events.

Cheers and Byeee… Meet you in the next write-up. Follow here to read my write-ups without missing.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store