In 2021, I was testing on some Program, and my brother asked me to fill out his University Application Form. So I started the process and in the background, all the traffic was going through my Proxy Tool(Burpsuite).
The University program has an option to pay the full fee or half at the time of Registration. So I tried to change the price amount but they were cross-checking the amount on the server side which made the request invalid and the transaction got rejected.
The Hunt Starts here:
After trying for a few hours and learning the application flow side-by-side. I noticed one Request with the country code and currency, which caught my attention. The University Accepts International Applications which might be the reason for those parameters. So I started to play around with those parameters and checked how the website and server behave with different values. After a few tries, I changed the currency to USD because I remembered the currency code for that 🙂, Now the website redirects me to a payment gateway with the value of 80K USD inseated of INR.
Currency Search:
Now we need a currency that is very low compared to INR and available on the Payment Gateway. They were using Razorpay as a payment Gateway which supports 100 major currencies.
I chose 2 currencies that were accepted i.e. Rupiah & Laotian Kip
10 INR ~= ₭ 1000
The end is not here, we need to prove that this a bug and not any assumptions. I tried to change the payment which was like 80,000 (800 INR), I can take the risk of paying this amount but it will not be worth it as who knows if they will pay it back or not or silently fix it(which happened many times with me 🙁).
I can not pay 80k or 10k for the fee;
Trying Something different ……
I re-analyzed the website again and noticed that the admission fee of 1k is using the same mechanism used in the Fee Payment request.
So I registered a new account and changed the currency and country code which allows me to pay only INR 10 instead of INR 1000. It is not always bypassing the complete process sometimes we need to pay attention to additional things that might make a huge impact in the end.
Reporting Time➖
Now I have successfully registered the student with very little payment. I reported this to my Teacher who was then in the admission department. But he confirms that they were only able to see the full payment which was 1000Rs instead of 10Rs. Then I asked to check on the Payment Gateway Portal (Razorpay) and it was there with a different currency that I had used.
After some research, I found that they were using a Student Management Software of the Company named NoPaperForms, and 400+ other Universities were under the same umbrella (Vulnerable to this bug). I created a draft report and submitted it to them.
After the patch, I verified that the bug was fixed and not vulnerable anymore. But they became ghosts after the fix. I contacted back to my teacher and he shared that they were also not responding to him on this topic.
As an appreciation, my teacher sent a Pen as a swag.
Later I thanked myself for not paying the full fee payment 😂.
Thanks For reading :)
Follow for More:-
Twitter:- root_rao