E-commerce logic is tricky. You have to handle coupons, taxes, shipping, and currency conversion. A tiny logic error can let a user buy a $2000 laptop for free.
Negative Amounts
You add 1 iPhone to cart ($1000).
You intercept the request with Burp and change `quantity: 1` to `quantity: -1`.
Cart Total: -$1000.
Some systems refund you immediately. Others subtract it from your total.
Fix: if (qty < 1) throw Error();
1. Parameter Tampering
The checkout page sends:
POST /pay amount=1000¤cy=USD
Attacker changes it to:
amount=1¤cy=USD
If the server doesn't re-verify the price against the database before charging, the user pays $1.
2. Race Conditions (Coupon Stacking)
You have a "One Time Use" coupon for 50% off.
You send 10 concurrent requests applying the same coupon.
The server checks "Is coupon valid?" -> Yes (for all 10).
The server applies the discount 10 times.
Total discount: 500% off. You get paid to buy the item.
3. Currency Rounding Errors
Attacker buys 0.0001 BTC.
Price: $0.004.
Gateway rounds it down to $0.00.
Attacker repeats 1 million times. They get 100 BTC for free.
Golden Rule
Never trust the integrity of the data coming from the client (Browser). Always recalculate the price on the server side (Price = DB_Price * Quantity). Sign the payment request using HMAC.