Business Logic Flaw on Souq (Amazon Company)

Vulnerability Writeup

Affected Endpoint: https://egypt.souq.com/eg-ar/account.php

How to Reproduce

1- Select any product you want to buy, but must have the free shipping option above a specific amount of money, for example, Gym Bar which cost 139 EG pounds has a free shipping option if you buy things above 250 EG pounds.

2- Then if you buy one product below the free shipping limit the total price will be the product price + the shipping price, for example, 139 + 26 = 165 EG pounds.

3- Now buy things above the free shipping limit, for example, you can buy two Gym Bar which will cost 278 EG pounds and make the purchase.

4- Visit this link https://egypt.souq.com/eg-ar/account.php and cancel one of your items, for example, we will cancel one of the Gym Bar so the remaining items will be only one Gym Bar which will cost 139 EG pounds the original price without the shipping price, so the total price would be 139 EG pounds instead of 165 EG pounds.

Impact

This vulnerability can lead to a decrease in the price of the products by deleting the shipping price of the product and this leads to money loss for the company.

Proof of Concept