🛑HTML Tampering Live

In this post I’ll teaching you how to tamper/manipulate the HTML data to avail benefits which you are not authorised to!! and I’ll will be performing it on a live real world website !

Before proceeding, have a look at the following references which you give you a thorough idea about Data Tampering in general :-

https://www.imperva.com/learn/application-security/parameter-tampering/

https://www.geeksforgeeks.org/html-form-tampering-in-perl/

Now lets begin

We are going to buy any prodoct for a cheaper rate on a real world website by tampering the html data ! (we can also get it for free)

Head on to the following website :-

https://www.cakengifts.in/

This is a website that sells cake and flowers to people residing in Delhi, India

Scroll down and select any product

For this demonstration, I’m gonna select Doraemon cake (you can select any other too)

Choose your desired options and in the pincode section, I entered 110001, since it’s a pincode of an area in Delhi!

Then scroll down and hit on the ADD TO CART button

Once you have added this product to the cart….proceed to the cart to check as shown below :

Here you can see that the cart has been updated and the total price is Rs.1595 (but our goal is to but it for a lesser amount or for free)

Here the Real GAME BEGINS !!!

Empty the cart and head back to the previous page

Right click anywhere on the page and select Inspect which is highlighted above

This will open up your web developer tools!

Then select the network tab as shown in the above picture

(instead of doing all these, you can simply press ctrl+shift+e on your keyboard which will directly open up the network tab of developer tools!)

Once you have your network tab, hit the ADD TO CART button

Then, right click on the POST parameter and select EDIT AND RESEND option as shown above

Here, in the request body you can see that the price is set to Rs.1595.

So why not try modifying it!

So I modified the amount to Rs.10 (you can modify it to any amount)

Then hit the SEND button and…….

BOOM ⚡⚡⚡We have changed the amount to Rs.10!!!

Now you can proceed to checkout the item for just Rs.10 or any other amount you desire!

Have Fun and I hope you learnt something valuable here.

Mitigation :-

In this practical demonstration, you noticed that the price is calculated server side and sent to the server. The server accepted the input as given and did not calculate the price again. One of the mitigations in this case is to look up the price of the product in the database and calculate the total price again on the server side.

In real world applications like these, you should never rely on client side validation. It is important to verify all the input sent by the client. Always remember NEVER TRUST INPUT SENT BY A CLIENT.

If u face any kind of issue or need some help in it’s additional features,feel free to leave a comment or directly connect with me on my Instagram handle, my mail or my WhatsApp group…..details of which are mentioned on my home page 🤗

daNiN hacking Tutorials

3 January 2022

Recent Posts

Categories

Contact Form