Security Lab Exposes Client-Side Price Manipulation Vulnerability in E-Commerce App

A security laboratory has demonstrated a client-side price manipulation vulnerability in a deliberately vulnerable e-commerce application called OopsSec Store, developed using Next.js. The server accepts the total amount sent by the browser without recalculating it based on the actual prices stored in the database. The exploit involves intercepting POST requests to /api/orders using tools like Burp Suite, allowing attackers to modify the total field before submission. In 2019, a similar flaw affected British Airways, Steam, and cryptocurrency platforms. The recommended fix is to systematically recalculate totals on the server side. The obtained flag is OSS{cl13nt_s1d3_pr1c3_m4n1pul4t10n}. The project is available on GitHub for testing in an isolated local environment.