Multiple Business Logic Errors

[fhkzero]

When the user page loads, I see that the multiStepsRsvn.js file exists. When I browse inside, I see that there is a displayTotalCost() function here.

When the relevant js file is examined, the price information of the rooms and the price calculation of the reservation are all done on the front-end side and these calculations are delivered to the back-end side via HTTP request. This is a very big vulnerability because you rely on the data coming from the front-end.

I manipulate the relevant js file to manipulate the price. Although the price calculation is normally done here, I set the value equal to zero. This means that whatever the room price is, the price will be $0.

As you can see, although the room charge is $1000, the total charge is $0. When the HTTP request below is examined, it will be seen that the total fee is $0 in the outgoing request. (Note: We could also manipulate the outgoing HTTP request directly by not dealing with the front-end side at all. In that case, the total value would appear as $1000 on the front-end side, but since we would send $0 in the HTTP request, the back-end server would accept the $0 value we sent.)

As you can see below, my booking is confirmed for $0.

The main problem here is that you rely on the value that comes via POST request. You should do the calculation in the back-end, not in the front-end.

---

Another business logic vulnerability is that adults and children values can be sent negatively during reservation. This is shown below on the HTTP request.

When the request was sent, the reservation was confirmed without any obstacles.

As can be seen below, there are -40 adults and -100 children.

References:
https://portswigger.net/web-security/logic-flaws