Hello guys! Hope you all are doing well! This time I’ll tell you about a simple bug that you can exploit to gain good bounties! So, without further ado let’s get straight into it!
Bug Detail:
So, this bug deals with the payment process of a website. You can exploit this bug to gain free products, services, etc., or upgrade your account to pro, etc. This poses a huge impact on the company, as the company can get into huge loss if the attacker exploits this bug. This deals with “Cards”.
So, what happens is there are many payment providers ex: Stripe, RazorPay, etc. Some of them provide something called “TEST CARDS”. An attacker can use these test cards to access products for free. Test cards vary, as different providers provide different test cards.
An example of a test card:
Card-Number: 5200828282828210
Expiry: 12/34
CVV: 678
(Don’t use the above to purchase stuff, it won’t work, but if it does congrats! You’ve got yourself a free product and a Critical Bug! xD)
What is Test-Cards?
Test cards are a vital tool to verify the seamless integration of websites, ensuring optimal performance and reliability. By using specialized values in a test mode, websites can simulate transactions without actually moving any funds. Test cards offer an array of scenarios to simulate, including successful payments by card brand or country, as well as card errors caused by declines, fraud, or invalid data. Additionally, they allow websites to simulate disputes, refunds, and authentication with 3D Secure and PINs, enabling comprehensive testing to ensure that the payment system works effectively and efficiently.
Now you have a basic idea of what the test cards are, and why they’re provided. Let’s jump to the next part!
##How to exploit the issue?
Having knowledge is not everything. You should know how to exploit it. So, let’s look into that. You can follow the below steps to exploit the issue:
- Take your target. Go to its payment page.
- Check the payment provider for the website. You can see it on the website itself, source code, or by using wappplyzer.
- Now you have your payment provider. Got to its website and look for documentation.
- If you’re lucky you can find it’s test cards.
- Go to the target and enter any of those test-cards.
- Cool! Bug Exploited!
Conclusion:
To sum up, exploiting the test card bug can cause financial harm to a company, and it’s easy to do. Test cards are given by payment providers to check website integration and simulate different scenarios. Companies need to be aware of this bug and keep their payment systems secure to avoid exploitation. A good mitigation would be to block all test-cards in production.
I hope you’ve gained some knowledge through this blog. Good luck!
My socials:
Twitter: https://twitter.com/0x2458
Buymeacoffee: https://www.buymeacoffee.com/0x2458
Thanks for reading! Here’s a small bonus: Stripe’s TestCard Documentation <3!