My first BurpSuite Vulnerability using Intercept

I was playing around with Portswigger’s Burp Suite in hopes of learning Cross Site Scripting and SQL injection when I discovered their learning labs.

After playing around for a couple of hours, I learned how to use the intercept and how to change requests to my liking.
I then gained approval from a friend of mine who runs some game servers and has a VIP system to skip the long queues to try some of the stuff I have just learned.

When an item has been added to the basket, before the purchase is handed over to Paypal, the price is checked via the request sent. This is no validation and whoever controls the request controls the cost of the item.

Here is the standard request:

You can see the Amount=11.00 field. Well… that price is now up to me. I can change it to anything I want. Then, I can send the request forward and Paypal will accept the cost without a care. The VIP system will register my account as having purchased a VIP package and I am good to go.

Technically, I could have changed it to 0.01 but I thought I would be generous… You can see the request went through at the amount I set, $1.50 Euros.

From my research, it looks like the issue is caused because of: GET /cgi-bin/webscr?cmd=_xclick

cmd=_s-xclick - Tells Paypal there is a hosted button to look for.

hosted_button_id= - is the variables, prices, items etc.

On the hosted button id=, the ID does not state any set amounts

Amount= is a a variable which means it can be dynamically changed and will accept whatever is put after the =