Client-Side Price Manipulation Vulnerability in OopsSec Store Educational Application

The OopsSec Store, an intentionally vulnerable e-commerce application built with Next.js, contains a client-side price manipulation vulnerability where the server accepts the order total directly from the browser without recalculating it from actual product prices. Attackers can intercept the POST request to /api/orders using tools like Burp Suite and modify the total field to an arbitrary value (e.g., $0.01), which the server processes without validation. The vulnerable code extracts the total from the request body and stores it directly in the database via Prisma, enabling exploitation with minimal technical effort. The application returns a flag (OSS{cl13nt_s1d3_pr1c3_m4n1pul4t10n}) upon successful manipulation, confirming the flaw. This vulnerability is classified under CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-840 (Business Logic Errors). The OopsSec Store is designed for educational purposes and should only be run in isolated environments.