IDOR : Payment Fraud on GYM Membership website

Hi, Its me Timotius. So in this article i’ll try to make an english writeup for u guys,before we start im really sorry if my english is really bad,and the purpose of this article is how i express my disappointment with fellow IT people in my country.

First of all,in my country theres a lot people that exploiting some bug for their benefit,like selling illegal backlink for ranking up their SEO or many more that i cant explain. Tbh why theres a lot people try to exploit and taking benefit of that bug,because we are not appreciated enough. And why im sharing this bug because i felt that.

Let’s get in to the topic,so I found a bug on Gym website,its an massive company and they have a lot branch in my country,i report on their ig and the IT team chat me personally,the bug is where i can buy membership with any amount i want and its automatic payment with xendit. Tbh i found 2 bug IDOR and otp bypass,but in this article i will share the IDOR first,maybe if im not lazy i will write up the otp bypass,later.

POC(Proof of Concept)

First i pick an package offer from the website,and then fill fake personal data register,and i go to the payment section.

Personal data Section,with fake otp bypass

After that i go to the Payment section its look like this

Payment section

before i pay,i intercept the request payment so i can check what their request,here the request section their website shows up amount of payment and package_id that i can change. I change the amount of price.

The request form

The response

after that i got redirected to the xendit payment,and heres the xendit payment page.

thats all for my today writeup,the it team already reach me in personal and the bug reported since 16 July,but after that im askin their permission to write this on my medium but after he get the report of my bug he ignored me and maybe because im askin a reward tho. The purpose of this writeup is why theres somany people exploiting bug for their benefit its because we are not appreciated enough, for me we are in the same section IT, i think we should feel the same way tho :3.

Bug Reported : 16 July 2024