Parameter Tampering: How I Manipulated My College Fees from ₹1900 to ₹1

Hello world, In this blog post, I’ll delve into the concept of parameter tampering, a common yet critical web application vulnerability. Using a real-life scenario where I manipulated my college fee payment from ₹1900 to ₹1, I’ll demonstrate how easily exploitable insecure web applications can be. I’ll walk through the technical steps of identifying and exploiting this vulnerability.

1. Log into your account: Access the website and log into your account using your credentials.
2. Navigate to the payment page:

• Browse to the URL: “https://victim.com/victiminspay/studentpayment.aspx
• This page is where students can pay their exam fees

3. Select the Payment Amount:

• On the payment page, choose the fee amount that needs to be paid, which is initially set to ₹1850.
• Then capture the request through burpsuite and click proceed with the payment.

4. Modify the payment Amount:

• Locate the parameter that specifies the payment amount (in this case, 1850).
• Change this value to 1.

5. Forward the Modified request:

• Once the value is changed , forward the modified request to the server.

6. Complete the payment:

• The system will redirect you to the payment gateway. Follow through with the payment process.
• The amount charged should now be ₹1 instead of ₹1850.

• Here it added taxes as well : ) and changed to 6.90 inr .
• And in their dashboard it will be as i paid full amount :)

Thanks for reading ❤