Bismillah
Hey guys, here's another report-styled entry into the Hacking APIs part of <a target="_blank" href="https://youtube.com/@umar_ndungo">my YouTube "TEch Stuff Daily?" Series(subscribe)</a>
<h1 id="heading-mass-assignment-vulnerability-in-checkout-api">Mass Assignment Vulnerability in Checkout API.</h1>
The following mass assignment API vulnerability was found when accessing the cart allows users to assign a discount to items at purchase.
<h2 id="heading-steps-to-reproduce">Steps To Reproduce</h2>
Tools: Burp and Browser(Firefox for me).
<ol>
<li>Add any item onto the cart - in this case let's add the leather jacket.
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1710665191168/ced295a8-d344-4530-8c5d-6269bb4dc2d6.png" alt class="image--center mx-auto" />
</li>
<li>Access the cart and observe the response via Burp to access the cart - The Response is as shown below. (Send the request to Burp Repeater)
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1710665124368/5d322b9e-fb57-4ebd-b55e-bf171ce1e5ff.png" alt class="image--center mx-auto" />
</li>
<li>Attempt to order the item and capture that request as well. (Send the request to Burp Repeater)
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1710665094363/af6eaf73-72a7-44b1-9a39-934fcba1b75e.png" alt class="image--center mx-auto" />
</li>
<li>In the first request copy the "chosen_discount" key-value pair from the JSON contained in the response.
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1710665065560/dd520dcb-79f2-482a-9bab-1afdae5eec1e.png" alt class="image--center mx-auto" />
</li>
<li>Paste this response in the JSON request to purchase the item and change the value to 100.
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1710665038354/1e1fd830-a82c-41ee-a367-066b39be43e0.png" alt class="image--center mx-auto" />
</li>
<li>Attempt to order the item with the applied discount.
</li>
</ol>
Bug!!
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1710665011805/9a94e1e7-9179-44d3-80c5-59132e125f0d.png" alt class="image--center mx-auto" />
<h2 id="heading-impact">Impact</h2>
The vulnerability in question could allow users to purchase items for free, thus making huge losses for the company.
Thanks again for reading my post... Asalaam Aleykum.

Bismillah

Hey guys, here's another report-styled entry into the Hacking APIs part of [my YouTube "TEch Stuff Daily?" Series(subscribe)](https://youtube.com/@umar_ndungo)

# Mass Assignment Vulnerability in Checkout API.

The following mass assignment API vulnerability was found when accessing the cart allows users to assign a discount to items at purchase.

## Steps To Reproduce

Tools: Burp and Browser(Firefox for me).

1. Add any item onto the cart - in this case let's add the leather jacket.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710665191168/ced295a8-d344-4530-8c5d-6269bb4dc2d6.png align="center")
    
2. Access the cart and observe the response via Burp to access the cart - The Response is as shown below. (Send the request to Burp Repeater)
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710665124368/5d322b9e-fb57-4ebd-b55e-bf171ce1e5ff.png align="center")
    
3. Attempt to order the item and capture that request as well. (Send the request to Burp Repeater)
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710665094363/af6eaf73-72a7-44b1-9a39-934fcba1b75e.png align="center")
    
4. In the first request copy the "chosen\_discount" key-value pair from the JSON contained in the response.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710665065560/dd520dcb-79f2-482a-9bab-1afdae5eec1e.png align="center")
    
5. Paste this response in the JSON request to purchase the item and change the value to 100.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710665038354/1e1fd830-a82c-41ee-a367-066b39be43e0.png align="center")
    
6. Attempt to order the item with the applied discount.
    

Bug!!

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710665011805/9a94e1e7-9179-44d3-80c5-59132e125f0d.png align="center")

## Impact

The vulnerability in question could allow users to purchase items for free, thus making huge losses for the company.

Thanks again for reading my post... Asalaam Aleykum.

TEch Stuff Daily? Entry 2 - Hacking API's

Portswigger Lab: Exploiting a mass assignment vulnerability

Mass Assignment Vulnerability in Checkout API.

Steps To Reproduce

Impact

I write as a 'shortcut' to learning new stuff.


Portswigger Lab: Exploiting a mass assignment vulnerability

TEch Stuff Daily? Entry 2 - Hacking API's

Table of contents

Mass Assignment Vulnerability in Checkout API.

Steps To Reproduce

Impact