A04: Insecure Design

Manipulate the price of an item at checkout by tampering with client-side data.

Interactive Simulation

An e-commerce site trusts the client to send the price of an item during checkout. Tamper with this price.

How to Simulate

With the defense disabled, note the ticket's real price is £100, but the price in the form is £1.
Click "Proceed to Checkout" and see that the server accepts the fraudulent price.
Enable 'Server-Side Price Validation' and checkout again with the fraudulent price.
Observe that the server now ignores the client-sent price and charges the correct amount.

Ticket Checkout

Item: Exclusive Concert Ticket

Real Price: £100.00

Price in POST Request (£)

Explanation

Insecure Design is a broad category representing weaknesses that stem from missing or ineffective security controls in the architecture. It's about "failing to plan" for security from the beginning.

In this scenario, the application was designed to trust the price sent from the client-side. An attacker can use browser developer tools to change the price in the checkout request. Without server-side validation, the server blindly accepts this data, allowing the attacker to purchase items for any price they choose.

Toggle Defense

Server-Side Price Validation

When enabled, the server ignores the price sent from the client. Instead, it retrieves the correct, authoritative price from its own database before processing the payment.