Items bought for free due to lacks of quantity controls
High
Vulnerability Details
Hi,
The server fails to check the quantity of the items that are going to be sell. Values <= 0 are accepted as 1.
PoC:
Go here
https://sandbox.reverb.com/fr/item/139897-fender-2-strap-leather-test-2018-leather
Intercept the response after clicking "Add to cart" and put "quantity: 0"
{F302179}
Proceed to checkout
{F302180}
Place order
{F302181}
{F302182}
I used one of the fake credit cards you provide us.
## Impact
Items are sold gratis
Actions
View on HackerOneReport Stats
- Report ID: 357929
- State: Closed
- Substate: resolved
- Upvotes: 38