Payment Gateway Bypass on Government Domain.
Last updated
Was this helpful?
Last updated
Was this helpful?
Author Name: Pavan Saxena (RootKid)
Release Date: 15 Dec 2022
The vulnerability was found on the website which is used to pay Challan online to Ahmedabad Traffic Police. So the basic requirement was to have a vehicle registered under Ahmedabad RTO which has some amount of challan in it.
When you visit the home page of the website, it presents you with a field to give your vehicle No. which is registered under Ahmedabad RTO.
On the next page, it shows you all the challan you have to pay. Select one/all of them.
Note: Sorry for not having clear POCs, as it is important for me to hide all sensitive data for security reasons.
On intercepting the payment request, we can see the amount of challan going from there. On Changing its value to some lower value still, it would pass the payment. Check the POCs attached below.
After manipulating the value of challan, we get a payment gateway of SBI.
On Payment Gateway, we can see that it shows we have to pay ₹0 to clear our challan. This proves that we have successfully bypassed Payment Gateway for our challan payment.
After receiving the receipt of the challan payment, I noticed that on the top left corner there is a download button. I decided to check if there is any other vulnerability to be exploited…
I was right !!! I found an IDOR there. On intercepting the request of the download button I found out there is a receipt id parameter going through the request.
My challan receipt id was ***9242 I changed it to ***9241, I got to see the challan receipt of some other person.
In return, I did not get anything for this. But overall after reporting 40+ vulnerabilities in the Government domain to National Critical Information Infrastructure Protection Centre (NCIIPC), I got my name mentioned in April 2022 Newsletter.
Thank You For Reading,
Happy Hacking !!!!
Hacker's Mantra: A hacker doesn't deliberately destroy data or profit from his activities. -- Kevin Mitnick
