Client-Side Price Manipulation Vulnerability Discovered in OopsSec Store

8 Feb 2026

vulnerabilityclient-sideprice-manipulationweb-securityburp-suitejsonserver-side-validationtrust-boundarye-commerceCTF

A client-side price manipulation vulnerability has been identified in OopsSec Store. The server accepts the total amount sent by the browser without recalculating it from the actual product prices in the database. The exploitation involves intercepting the POST request to /api/orders with Burp Suite configured on 127.0.0.1:8080, then modifying the total field in the JSON payload to an arbitrary value such as 0.1. The vulnerable code directly uses the value provided by the client without validation: total: total. The recommended fix involves recalculating the total server-side by retrieving prices from the database and using reduce() on the cart items. The captured flag is OSS{cl13nt_s1d3_pr1c3_m4n1pul4t10n}. This vulnerability illustrates a fundamental violation of the trust boundary where critical financial calculations are delegated to client-controlled code.