Price Parameter Tampering On Bukalapak

On the Thursday night, I feel boring on my rooms and then I try to do something to make my time is more valuable. After that I’m thinking of “How about I testing Bukalapak” . Not on the website application, But on their Mobile Application, although I’m not expert at all and just testing on their traffic from the Mobile Application to server.

I start hunt bug just trying to figured what’s the feature I should test, with the feeling of course. Long story short, I take a look on the feature called “Buka Pengiriman” In this feature, seller can pay the shipping fee on bukalapak and the shipping expedition will come to seller place to pick up the goods without request payment.

After now know the system work, I start thinking do this can be vulnerable on Parameter Tampering, Because I read a lot of the Parameter Tampering but have no luck to found one of them.

And then I start to launch the parameter tampering attack on the endpoint https://api.bukalapak.com/open-shipments/transactions , because I take a look on the system, this endpoint include the Price and the endpoint exist before system redirect to payment page.

Vulnerable Endpoint Price Parameter Tampering
Vulnerable Endpoint Price Parameter Tampering

And then when I trice to change the value of shipping and total parameter to 10, the response is also turning to 10. Hmmm, do this is really Vulnerable to Price Parameter Tampering ?

Is this parameter tampering ?
Is this parameter tampering ?

Because I’m not sure, I take a look on the my payment page to see there’s a some invoice with the following price?

Price on Payment page
Price on Payment page

Okay, this is on the payment page. But, I still not sure if this can be valid. So, I try to pay the invoice and the status is return to SUCCESS. And I was like :

And then after that,  I start make some report to Bukalapak.

After long day no response, I ping up again to ask about the bounty, and they said it’s eligible for bounty and proceed the bounty soon. Long story short, the bounty of the Price parameter tampering on the Bukalapak is : 2.000.000 IDR or around 150$ ( Not include the tax).

Timeline :

  • Reported – Mar 7, 2019
  • Validated Valid – Mar 12, 2019
  • Rewarded – May 13, 2019
  • Fixed – July 24, 2019