This publication explains how to bypass credit card payment on a website. However, bypassing the system really depends on the website’s security.
A well-built website will be more difficult to bypass the payment to access private/paid content. Some websites with weak security will even allow you to purchase an item without paying if you guess the content URLs correctly. This loophole could be due to the developer not validating their access to every content, making it possible to get around card payment.
Even some websites using CMS like Joomla and WordPress have been set up by developers without real knowledge of site security, and the payment page of such websites can be easily bypassed.
- A payment gateway is designed to secure any sensitive information users provide during the payment process. This system encrypts data like card information and bank account details to protect the user.
On a typical payment gateway or site, when a customer places an order and then clicks the checkout button, the e-commerce website takes them to a payment gateway where they enter any required bank or card information for payment. The payment gateway then directs the user to the issuing bank or a 3D secure link for the transaction to be authorized.
After the transaction is approved, the purchaser’s bank verifies the balance of the customer to check if it’s sufficient or insufficient and notifies the merchant.
If the bank’s response is “No”, the merchant will return an error message to the customer, informing them about the issue encountered with their card. However, if the response is “Yes”, the merchant seeks the transaction from the bank —the bank then approves the payment and notifies the customer of the order placement.
Keep in mind that the transaction involves secured information of a user, including bank and credit card details. Thus, the bank needs to be sure it is safe and secure.
How information is secured by Payment Gateway
The transaction carried out on a website is done through an HTTPS web address, which is different from HTTP. The ‘S’ stands for “secure”, which means the transaction passes through a secure tunnel.
Due to the hash function, the system typically uses a merchant-signed request for validating transaction requests. The signed request is usually a secret word known only by the payment gateway and the merchant. The requesting server’s IP is also verified to identify malicious activity to keep the payment page result secure.
It turns out acquirers, issuers, and payment gateways are migrating to Virtual Payer Authentication (VPA) for additional security. When implemented under a 3-D secure protocol, VPA brings a security layer, making buyers’ and sellers’ online authentication easier.
Information flow is just the mechanism helping transactions on various websites. And when you understand how website transactions work, you’ll easily bypass credit card payments and shop more for free.
In this section, we discuss ways you can bypass credit card payment on a website:
1. Modify HTML hidden element
This method is simpler and used on poorly-secured websites—you just have to manipulate the product amount to buy on the credit card payment page.
For this method, check if the item cost is available in the hidden element of the HTML form page of the website.
When you select the item to buy, the price is added to the total item amount, taken from the hidden field, and filled into the form. Finally, the total is presented to the buyer. You should have something like:
<input type=”hidden” name=”business” firstname.lastname@example.org>
<input type=”hidden” name=”cmd” value=”_xclick”>
<input type=”hidden” name=”item_name” value=”Classmate_Notebook”>
<input type=”hidden” name=”amount” value=”550”>
<input type=”hidden” name=”currency_code” value=”INR”>
To bypass credit card payment on this payment page setup, you just change the product price in the hidden form field containing the price.
When you modify the price, the actual price never reflects in the cart, so you buy whatever you want without paying with your credit card.
2. Payment interception with Burp Suite
With Burp Suite software, you can manipulate the item amount you want to buy online with your credit card by changing the price to 0 or whatever you can afford.
For this method, the price of the item is usually not in the hidden field in the form, so you can’t just modify the HTML and add the item to the cart.
To bypass a credit card payment on a website with Burp Suite, you manually turn on the intercept and manipulate the cost in the intercepted packet once you’re on the payment gateway.
Read also: Some real credits with cash
After you edit the item price via the interceptor, forward the packet to bypass the credit card payment on that page.
3. Modify hash to bypass credit card
Many websites have strong security in place to check the vulnerabilities mentioned in the previous section, which you can easily get around with a credit card. More secure websites use a system like hash to protect the payment page.
Hashes are a method that checks the messages’ integrity sent from the payment page of the e-commerce website to the payment gateway, including the product price for payment. The transaction will only be approved if the hashes being sent before and after match.
a. Figure out the hash parameters and technique
A lot of security vendors consider hash as being secure. However, with deeper digging on a specific e-commerce website, you may be able to figure out the system and break in.
Just dig about the formulation of hash. You can start by looking up the publications made by the website developer regarding how their hash formulation, as well as other important details, to help you bypass the credit card page. It may take a bit of time to find the documentation containing the parameters used, as well as the hashing technique employed in the system.
b. Find the password
When you figure out the parameters, typically present in the packet you intercept, you’re some steps in. One of the parameters is the password used, known only to the admin.
To find the password, you can use brute force or use a dictionary attack after putting together the parameters.
c. Break in
With the password, you can then create your hash with a modified item price to buy from the cart without paying. You’d have to be quick about it before the admin changes the password.
Read also: Card demagnetized? Quick solution!
Getting the password can be tough. In some cases, the developer may merely copy the same password as in the documentation, making the Payment Gateway security vulnerable for you to bypass the credit card payment on the website.
Tips to beat a website payment page security
Some of the tips to help you beat a website’s credit card payment:
1. Look up the Payment Gateway documentation
You want to read the payment gateway documentation provided by the developers of the merchant website. In the documentation, you may find the critical information you can work with to bypass the credit card payment on the merchant site such as:
- Transaction success message
- Transaction success code
- Hash parameters and technique
- Response messages
- Promo code data
- Response code, etc.
If you come across important information such as “transaction success code” and “transaction success message”, try replacing them with the fail response via the intercept tab if you use the Burp Suite tool. Note that this will only work if the merchant website is not validating the “CheckSum Hash”.
2. Consider changing product quantity
Apart from just changing the product price on the credit card page of the merchant website or at the Payment Gateway, you could change the quantity, which reduces the amount you’re charged for the item.
Simply, locate the quantity fields or similar in the captured packets in the Burp Suite software and make changes. For instance:
Quantity = 5 & Price = $ 50 ; Grand total = 5 X 50 = $ 250
Tamper Quantity = 0.01 & Price = $ 50 ; Grand total = 0.01 X 50 = $ 0.5
If the price is secured with the server-side like this, you try manipulating the quantity to pay way less.
3. Fuzz other parameters
Other parameters you could try fuzzing include:
- Wallet amount
- Promo codes
- Delivery charges
Just look for any parameter involving money and try to tamper—this way, you have bypassed the credit card payment on that website to shop for free.