Unveiling the Dark Side of Price Manipulation in E-Commerce

— Sam Jacob Dec, 2, 2023

Cybeer Security Blogs >> Secrets In Code >> Unveiling the Dark Side

As online transactions continues to rise, it becomes obvious that ensuring payment security is of utmost importance. E-commerce platforms invest heavily in security measures to secure their systems. However, even with these measures in place, price manipulation attacks can still occur, on platforms where transactions take place. This blog aims at capturing the security concerns with online payment processes and provide guidance on safeguarding against Price manipulation attacks.

How E-payments Work?

  1. The customer decides which product to purchase from the e-commerce application.
  2. Upon clicking the payment button, the customer is directed to the order page where they input thier payment details, including card information and identification. Subsequently, they submit the payment request.
  3. The online payment provider system sends the customer’s payment request to their bank account for the bank purchase approval.
  4. If the customer’s card credentials is valid, and there are sufficient funds to complete the transaction, the customer’s bank will authorise the purchase. However, if the transaction is declined due to reasons such as incorrect credentials or insufficient funds, no funds will be transferred but your website will still receive status information.
  5. The Issuing bank will pass on its approval or refusal to the acquiring bank.

Price Manipulation:

Price Manipulation can be done through various means, such as altering the products’s URL parameters, abusing the coupons, client-side Manipulations, or businesses logic abuse in the checkout process.

For Example:
Let’s consider an example involving an e-commerce website which is an online grocery store. In the regular scenario, a customer selects a product priced at INR X and proceeds to checkout. The customer completes the purchase, paying INR X and the order is confirmed.Let’s look at a typical price manipulation issue:

  • Attacker tries to purchase a product which costs INR 26 but this requires the minimum balance of INR 26 in the wallet.
  • Attacker proceeds to the online payment for purchasing this product and captures the request in the background. In the below screenshot you can see that the actual price of the product is reflecting in the path.
  • Attackers could now manipulate/change the price from INR 26 to INR 1 and forward the request.
  • The Attacker is able to purchase the product with just one rupee.

In this Example, the attacker manipulated the price parameter in the product’s URL, causing a significant discount. While the actual back end price remained INR 26, the attacker/customer was able to make the purchase at a fraction of the cost. This type of price manipulation can result in financial losses for the e-commerce business and erode customer trust.

Impact of Price Manipulation attacks:

Price manipulation attacks in the context of e-commerce applications are significant and unique for several reasons:

  1. Financial Impact: Price Manipulation attacks can have a substantial financial impact on both the e-commerce business and its customers. When attackers successfully manipulate prices, they can purchase products at lower prices or take advantage of unauthorised discounts, causing financial losses to the business.
  2. Impact on Inventory and suppliers: When prices are manipulated, it can lead to unexpected fluctuations in demand for certain products. This can affect inventory management, supply chain.
  3. Loss of user Trust and brand reputation: Impacts user trust in the e-commerce platform and loss of brand reputation.

Challenges in detecting or identifying Price Manipulation:

  1. Deception: Price Manipulation attacks involve deceptive tactics, making them unique.
  2. Multiple Attack Vectors: These attacks can occur through various attack vectors, including URL parameter tampering, coupon abuse, client-side scripting, and other creative means. This diversity of attack methods adds to their uniqueness and the challenge in defending against them.
  3. Complex Detection: Detecting price manipulation attacks can be challenging. Some of the business logic abuse cannot be detected by monitoring and will require a through manual audit process.
  4. Adaptation by Attackers: Attackers are continually evolving their techniques to carry out price manipulation attacks.

Prevention and mitigation:

Given the unique characteristics, e-commerce business must vigilant and employ a combination of security measures to mitigate the risks associated with price manipulation attacks. To prevent price manipulation in e-commerce applications, organisation could consider implementing the following measures. 

  1. Input Validation: validate and sanitise user input, especially when dealing with price-related parameters.
  2. Coupon Code Security: Secure your coupon system and track the usage of coupon codes to prevent abuse.
  3. Server-Side Price Verification: Always perform price checks and calculations on the server side to ensure that client-side manipulations do not affect the final purchase price.
  4. Perform regular audits: Regularly monitor and audit the systems for unusual pricing patterns and adapt security measure accordingly.
  5. Regular Penetration Testing: Considering the price manipulation vulnerabilities are typical abuse scenarios that cannot be generally identified through manual testing. Regularly perform penetration testing to identify and address vulnerabilities in your e-commerce application.
Blog by- SecIQ Security Research Team