hacktricks/pentesting-web/bypass-payment-process.md

79 lines
5.5 KiB
Markdown
Raw Normal View History

2023-09-02 23:48:41 +00:00
# Bypass Payment Process
2022-04-28 16:01:33 +00:00
<details>
2024-01-08 11:25:42 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-08 11:25:42 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-08 11:25:42 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:15:24 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-08 11:25:42 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2023-09-02 23:51:32 +00:00
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2024-02-06 03:10:38 +00:00
## Payment Bypass Techniques
2022-04-28 16:01:33 +00:00
2024-02-06 03:10:38 +00:00
### Request Interception
During the transaction process, it is crucial to monitor the data being exchanged between the client and the server. This can be done by intercepting all requests. Within these requests, look out for parameters with significant implications, such as:
- **Success**: This parameter often indicates the status of the transaction.
- **Referrer**: It might point to the source from where the request originated.
- **Callback**: This is typically used for redirecting the user after a transaction is completed.
### URL Analysis
If you encounter a parameter that contains a URL, especially one following the pattern _example.com/payment/MD5HASH_, it requires closer examination. Here's a step-by-step approach:
1. **Copy the URL**: Extract the URL from the parameter value.
2. **New Window Inspection**: Open the copied URL in a new browser window. This action is critical for understanding the transaction's outcome.
### Parameter Manipulation
1. **Change Parameter Values**: Experiment by altering the values of parameters like _Success_, _Referrer_, or _Callback_. For instance, changing a parameter from `false` to `true` can sometimes reveal how the system handles these inputs.
2. **Remove Parameters**: Try removing certain parameters altogether to see how the system reacts. Some systems might have fallbacks or default behaviors when expected parameters are missing.
### Cookie Tampering
1. **Examine Cookies**: Many websites store crucial information in cookies. Inspect these cookies for any data related to payment status or user authentication.
2. **Modify Cookie Values**: Alter the values stored in the cookies and observe how the website's response or behavior changes.
### Session Hijacking
1. **Session Tokens**: If session tokens are used in the payment process, try capturing and manipulating them. This might give insights into session management vulnerabilities.
### Response Tampering
1. **Intercept Responses**: Use tools to intercept and analyze the responses from the server. Look for any data that might indicate a successful transaction or reveal the next steps in the payment process.
2. **Modify Responses**: Attempt to modify the responses before they are processed by the browser or the application to simulate a successful transaction scenario.
2020-08-06 09:07:38 +00:00
2022-04-28 16:01:33 +00:00
2023-09-02 23:51:32 +00:00
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-04-28 16:01:33 +00:00
<details>
2024-01-08 11:25:42 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-08 11:25:42 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-08 11:25:42 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:15:24 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-08 11:25:42 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>