Tampering with price parameter [Proposed Label] Bug

[yaswanthsaivendra]

While proceeding to checkout, one can intercept the request and manipulate the price parameter and buy the products at lower price . There should be an functionality implemented at the backend to cross check the price against the corresponding product before proceeding to stripe payment portal.

[avneesh0612]

So @yaswanthsaivendra can you try working on that?

[yaswanthsaivendra]

Sry , I am not familiar with tech stack used , otherwise I would be doing that. I am python developer. Hopefully someone fix this.

[avneesh0612]

Oh ok, no problem.

[princeprag]

Hey @avneesh0612 I would like to work on that, if its fine..

[avneesh0612]

Great @princeprag . You can work on it

[princeprag]

@avneesh0612 , i was not able to reproduce the bug.. what does "intercept" mean here.. tried doing inspect while clicking on checkout button... wasn't able to find the request url though

[avneesh0612]

Um @princeprag I don't know jow yo recreate the eroor. @yaswanthsaivendra might be able to tell

[yaswanthsaivendra]

@princeprag , intercept in the sense, one can capture the request when its being transferred from frontend to backend. So that they can change the data that is being transformed. So, one can change the price parameter to decrease the value. For reproducing this bug, u need to set up an intercepting proxy between the browser and your server. If u aren't able to do that, Still u can understand the working of code and able to solve it by changing the implementation. Remediation : Implement a functionality in backend to check whether the price is being the same with the help of the respective product id. (before proceeding to stripe payment portal). @avneesh0612 , if possible provide him with any source , So that he can get better understanding of the payment processing implementaion used.