Payment Gateway Bypass on Government Domain.

Author Name: Pavan Saxena (RootKid)

Release Date: 15 Dec 2022


This vulnerability was not directly discovered by me; a friend of mine found it and was also involved in the process. My main contribution was exploiting and reporting it. The second vulnerability was discovered by me.

Overview

The vulnerability was found on the website which is used to pay Challan online to Ahmedabad Traffic Police. So the basic requirement was to have a vehicle registered under Ahmedabad RTO which has some amount of challan in it.

Exploitation

When you visit the home page of the website, it presents you with a field to give your vehicle No. which is registered under Ahmedabad RTO.

Home Page

On the next page, it shows you all the challan you have to pay. Select one/all of them.

Challan page — 1
Challan page — 2

Note: Sorry for not having clear POCs, as it is important for me to hide all sensitive data for security reasons.

On intercepting the payment request, we can see the amount of challan going from there. On Changing its value to some lower value still, it would pass the payment. Check the POCs attached below.

Original request with challan amount of ₹ 1300
Manipulating the value of challan to ₹ 1

After manipulating the value of challan, we get a payment gateway of SBI.

SBI Payment Gateway.

On Payment Gateway, we can see that it shows we have to pay ₹0 to clear our challan. This proves that we have successfully bypassed Payment Gateway for our challan payment.

Receipt of clearing challan of ₹ 1300

Second Vulnerability

After receiving the receipt of the challan payment, I noticed that on the top left corner there is a download button. I decided to check if there is any other vulnerability to be exploited…

Receipt of challan payment

I was right !!! I found an IDOR there. On intercepting the request of the download button I found out there is a receipt id parameter going through the request.

The original request for my challan receipt

My challan receipt id was ***9242 I changed it to ***9241, I got to see the challan receipt of some other person.

Manipulating the value of receipt id
Challan Receipt of some random person.

In return, I did not get anything for this. But overall after reporting 40+ vulnerabilities in the Government domain to National Critical Information Infrastructure Protection Centre (NCIIPC), I got my name mentioned in April 2022 Newsletter.

Newsletter of April 2022

Thank You For Reading,

Happy Hacking !!!!




Hacker's Mantra: A hacker doesn't deliberately destroy data or profit from his activities. -- Kevin Mitnick

Last updated

Was this helpful?