Payment Functionality

Check List

Methodology

Black Box

Payment Gateway Bypass

1

Add items to the cart and proceed to checkout to initiate a payment via the third-party gateway, capturing the redirect URL and parameters with Burp Suite

2

Complete a legitimate low-cost purchase to obtain a valid payment_id and observe the success redirect parameters (status=Succeed, payment_id=abc123)

3

Start a new order, proceed to payment, and cancel it at the gateway to trigger a failure redirect with parameters (status=Failed, payment_id=xyz789)

4

Intercept the failure redirect response in Burp Suite and modify the parameters to fake success: change status=Failed to status=Succeed and replace payment_id=xyz789 with the valid payment_id=abc123 from the prior transaction

5

Check the target website for order confirmation or invoice; if the order is marked as paid without actual payment, it confirms the bypass vulnerability

Payment Bypass

1

Go to any e-commerce checkout flow

2

Add any item to cart and proceed to checkout

3

Choose any payment method

4

Intercept the final redirect or POST request with Burp Suite

5

Do NOT complete the payment, just note the success, URL Extract the success URL Like

https://target.com/success?order_id=12345&status=paid
6

Manually visit the success URL directly then Paste it in a new tab

https://xyz.com/success?order_id=12345
7

Check your account, Orders

If the order appears as Confirmed, Paid, Shipped, Payment Bypass CONFIRMED

Payment Callback Forgery

1

Go to any payment form on a government or enterprise site

2

Enter a small test amount (5 INR / $1) and click “Pay Now”

3

Let the site redirect you to the payment gateway (PayU,)

4

Cancel the payment, Click Back or Cancel, Confirm cancellation

This triggers a POST to /PayFail.aspx (or /fail, /cancel, /error)

5

Intercept the FAIL request with Burp Suite Example

POST /PayFail.aspx HTTP/1.1

status=failure&unmappedstatus=userCancelled&net_amount_debit=0.00&error=E1605&error_Message=Transaction+failed...
6

Make a REAL payment (once) to capture success response, Pay 5 INR → Let it succeed

Capture the SUCCESS callback POST to /PayCallBack.aspx (or /success, /verify, /return)

Example success body

status=success
unmappedstatus=captured
net_amount_debit=5.06
additionalCharges=0.06
mode=UPI
field9=Success%7CCompleted+Using+Callback
error=E000
error_Message=No+Error
7

Change path POST /PayCallBack.aspx

8

Replace entire body with the successful payment data

9

Keep only these original values (from your failed attempt) like

  • mihpayid

  • txnid

  • addedon

  • hash (critical — must match PayU checksum)

10

Override the rest with success values

status=success
unmappedstatus=captured
net_amount_debit=5.06
additionalCharges=0.06
mode=UPI
field9=Success%7CCompleted+Using+Callback
error=E000
error_Message=No+Error
11

Final bypass request (example) like

POST /PayCallBack.aspx HTTP/1.1
Host: www.xyz.gov.in
Content-Type: application/x-www-form-urlencoded

mihpayid=17797357055&mode=UPI&status=success&unmappedstatus=captured&key=dTA6xR&txnid=17917&amount=5.00&discount=0.00&additionalCharges=0.06&net_amount_debit=5.06&addedon=2023-07-24+11%3A13%3A45&productinfo=Type+Rent&firstname=Test&email=test@gmail.com&phone=1234567890&hash=56c3763f3b737116730e420b2004a4b699f485e98ccc3e887aa63afee3c49ce3f9780c375fe08bf6f36df76497463f1ca47c7fa4587541b88a1b99cc1823515c&field1=UPI&field9=Success%7CCompleted+Using+Callback&payment_source=payu&PG_TYPE=UPI-PG&bank_ref_num=FAKE123&bankcode=UPI&error=E000&error_Message=No+Error
12

Send the request

Response Manipulation

1

Go to any mobile app (Android/iOS) with a reward points system, wallet, cart checkout

2

Use Burp Suite, rooted device or emulator

3

Set up proxy and capture all traffic

4

Add items to cart, Proceed to checkout, Apply reward points to reduce price

Look for a request like

POST /cart/apply-discount HTTP/1.1
...
points=100&cart_id=123456
5

Intercept the response then Find JSON with updated total

{
  "final_amount": 250,
  "discount": 100,
  "payable": 150
}
6

Manipulate response in Burp Repeater and change

"payable": 0

or

"final_amount": 0
7

Forward the modified response to the app

8

In the app, click “Place Order” , If order confirms with ₹0 payment, Payment Bypass via Response Manipulation CONFIRMED

IDOR in Payment

1

Log in to the target site and create two accounts, one account A and another account B

2

Log in with Account A

3

Add an item worth $100 to your cart

4

After going to the payment page, click on Place Order and then use intercept in Burp Suite to hold the request and check it like the following request

5

If you see a parameter like order_id that returns a number, store its value in And then drop the request

6

Then log in using the second account (Account B) you created and add an item worth $50 to your cart

7

Then, after going to the payment page and turning on the Intercept option in Burp Suite, click on the Place Order option and intercept the request

8

We replace the value of the order_id parameter that we saved and copied in the order registration of account A with the value of the order_id parameter of account B as follows

9

Check if you have to pay $100 instead of $50, it means that a vulnerability has occurred and we have access to the victim's order

Negative Quantity Manipulation

1

Go to any e-commerce cart or checkout page

2

Then use burp suite to intercept the requests and examine the request inside the add to cart request

3

Inside the intercepted request, convert the parameter specifying the product price to - as shown below

or in JSON

4

Because we cannot pay -1000, we must add another product to the shopping cart at the same price so that the total of the shopping cart becomes 0

5

Then check the shopping cart and if it has been converted to zero, the vulnerability is confirmed

White Box

Cheat Sheet

PreviousUpload of Malicious FilesNextClient Side

Last updated