
strong>Vulnerability Description => Parameter tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user’s authorization.
↡ ↡ ↡ ↡ How to Exploit ↡ ↡ ↡ ↡
1. Go to Amazon Affiliate Store site (http://freelancewebdesignerchennai.com/demo/multivendor/)
⇓ ⇓ ⇓ ⇓

2. Click on register and register using your mail address & password
⇓ ⇓ ⇓ ⇓

3. Come back again Amazon Affiliate Store site and log in into your account
⇓ ⇓ ⇓ ⇓

4. Goto home select on any product you want to buy (etc: Modern Cellphone Camera) and Click add to cart
⇓ ⇓ ⇓ ⇓

5. Goto checkout and then click proceed to checkout
⇓ ⇓ ⇓ ⇓

6. Fill up all billing details and select PayPal for pay
⇓ ⇓ ⇓ ⇓

7. Make sure burp intercepter is on and click proceed to PayPal then capture the data
⇓ ⇓ ⇓ ⇓

8. Find the amount value that you want to change
⇓ ⇓ ⇓ ⇓

9. Now change the amount value to 1 or anything you want and forward the data
⇓ ⇓ ⇓ ⇓

10. Then off burp intercepter and goto PayPal payment gateway
⇓ ⇓ ⇓ ⇓

11. Now log in or create new PayPal account and you see amount is hacked or changed
⇓ ⇓ ⇓ ⇓


Leave a Reply