保護DataHogo
Security Encyclopedia/Race Conditions & Logic
criticalCWE-472A04:2021

Price Manipulation

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

How It Works

When an e-commerce application sends the price to the server as part of the checkout request, attackers can intercept and modify it. Using browser developer tools or a proxy like Burp Suite, they change the price from $99.99 to $0.01 before the request reaches the server. If the server trusts the client-supplied price and creates the Stripe payment intent or processes the order with that amount, the attacker gets the product for nearly free. This vulnerability is surprisingly common in applications that pass price data through hidden form fields, JavaScript variables, or API request bodies instead of looking up the canonical price from the database on the server side.

Vulnerable Code
app.post('/api/checkout', async (req, res) => {
  const { productId, price, quantity } = req.body;
  const session = await stripe.checkout.sessions.create({
    line_items: [{ price_data: {
      currency: 'usd',
      unit_amount: price,  // Price from client!
      product_data: { name: req.body.productName }
    }, quantity }],
    mode: 'payment'
  });
  res.json({ url: session.url });
});
Secure Code
app.post('/api/checkout', async (req, res) => {
  const { productId, quantity } = req.body;
  const product = await db.product.findUnique({ where: { id: productId } });
  if (!product) return res.status(404).json({ error: 'Product not found' });
  const session = await stripe.checkout.sessions.create({
    line_items: [{ price: product.stripePriceId, quantity }],
    mode: 'payment'
  });
  res.json({ url: session.url });
});

Real-World Example

In 2023, a price manipulation vulnerability in a major food delivery platform allowed users to modify order totals via API requests. Attackers changed prices to $0.01 and placed thousands of orders before the issue was detected, resulting in significant financial losses for the company.

How to Prevent It

  • Never accept prices from the client — always look up prices from the database server-side
  • Use Stripe Price IDs stored in your database instead of dynamic price_data amounts
  • Validate total amounts server-side before creating payment intents
  • Log and alert on orders where the charged amount differs from the expected catalog price

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Race Condition in Payments

high

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

CWE-362A04:2021

Feature Flags Exposed

low

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

CWE-200A05:2021

Debug Routes in Production

medium

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

CWE-489A05:2021

Privilege Escalation

high

Profile update endpoints that accept role or permission fields from the request body allow users to promote themselves to admin by adding role: 'admin' to their update request.

CWE-269A01:2021