This technique is not that straightforward in the real world. Because UA-cam does not allow us to upload zero-day exploits. Instead, if you want to seriously know how it works in the real world, join our full ethical hacking course on Udemy with real world examples! www.udemy.com/course/full-ethical-hacking-course/
Loi sir can you make an video of how to start bug bounty for beginners because near my home there are no any bug bounty teachers but I’m interested on it so plzzzzz👈👈👈
I am a web developer for a content publisher, not for e commerce, but even I would know better than to use any numbers sent by the browser in a transaction. Any price numbers I would send to the browser would simply be for the user to look at. I'm always going to use my numbers from my database and not an easily tampered with POST from variable.
@MOTIVATIONAL WALLAH - PHYSICSWALLAH Yeah sure buddy. Why don't we call the cops and let them know that you and I plan to do crime stuff together buddy. lol.
@@lewyathan Yeah, well it depends on the developer... If it's a developer you found on some site and he only cares about the money he wouldn't care about security thus it'll probably work... It could also be an amateur developer and it'll might work
@@anonymus3286 probably non of the websites that you use... If you are pen testing a website and they have a payment system it's worth giving it a try but the vulnerability could come in different forms. I think someone found something similar in "ikea". Try to search up "ikea parameter tampering"
@@ihateevilbill frequently developers try to put as much stuff on the front as possible to avoid network and memory overhead on the backend but they mis something and a design flaw is born that way.
@@vaja5357 i always put security a bit over performance, tho i still make sure i don't write any bullshit code. but storing prices on the backend is a must do. A way to avoid performance issues is to put a cooldown, or use multiple servers and f.e. have nginx put clients to the currently less full server. my friend had one server and tried to put so much security (even tho hes just an amateur), that he himself forgot how some of his scripts work, which caused them to conflict quite a lot, no optimization whatsoever (he didnt even minify the js code). once he said he's done i tried finding vulnerabilities: the conflict between the scripts made so much sinks, that it's been very easy to find an element which could either cause SQL injection, path traversal, and on top of that, he completely forgot about XSS
This is happening because the backend dev/s are not validating the input coming from the frontend which a 10 years old can do. It is crazy that such devs getting jobs in the industry...
Yeah, it probably worked in early 2000s late 90s with the early machines and software code but now if you edit and change, hyper text it just go back to standard text
I tried it this trick on amazon and now i am in jail ! Wondering how i commented if i am in jail ? I just stole the officers phone when he was performing weekly inspection of my cell !!
Most likely no one will know unless an admin or someone checks it manually which is unlikely especially if the website gets alot of purchases but this video is only a demo to find a bug like this in the wild will be a bit harder and little different but same idea and concept :)
It might not work on 100% of websites, the last and current place I worked, both were sending amount from the frontend which directly redirected to payment gateway. So if you ask me it does not hurt to check for this on all websites you use.
it only reflects the front end.. but it wont reflect the back end... if the price is comming from server side... then it wont work. you need to attack to the database. Now a days it doesn't work if the website is built by framework. Cause they are very secure
This would not work in any real world e-commerce application, information about a product or cart content would be stored on the backend and handled there, the frontend is just representational.
hello, i have subscribed to your channel but whenever I want to watch the videos it says members only. please how can I get access to those videos, is there a way to register? please your videos are really helping
@@LoiLiangYang thanks alot. And your video is really helpful. God bless you ❤️. I have subscribed, but still saying join this channel to get access. I wish I can send a screenshot
Who writes code like this? This may have worked back in 2000 when the web was young, and I have my doubts because this is clearly bad design. These transactions are done by product id.
It had no longer work on this technique. All the legit websites had already have controlled hacking system. Even though, you have done the same this way, but it’ll never work on this way anymore.
Shopify wouldnt exist if this was possible, or any other e-commerce solution. This affect only to the one that create their own e-commerce systems, they are in for a great awakening, this attack is not level 0
Holy SHIT it fucking works just bought a motorcycle for $1200 instead of 12,000 the truck will be here tomorrow with my bike I do t know if I’m going to be able to keep it but as far as the exploit goes it worked for me hopefully I will be riding a new motorcycle tomorrow I will comment when bike arrives to my house if it comes I don’t know how they would not be able to notice over 10,000 missing from the amount they received for the bike
This technique is not that straightforward in the real world. Because UA-cam does not allow us to upload zero-day exploits. Instead, if you want to seriously know how it works in the real world, join our full ethical hacking course on Udemy with real world examples! www.udemy.com/course/full-ethical-hacking-course/
Why are you hiding in top corner?
Loi sir can you make an video of how to start bug bounty for beginners because near my home there are no any bug bounty teachers but I’m interested on it so plzzzzz👈👈👈
@@kunalraut1689 used on which site?
Hi mr lio liang yang im member in this chanel and i subscribed but i don't have access to some videos it tell's me that i not a member
Hey how to hacking start
If an exploit is on UA-cam, it doesn’t work now.
Not at all. I did it to a site and it worked.
This would work if we're still in early 2000s
Edit: Wow! I did not expect so many likes and comments. Appreciate you all. Thanks!
You'd be surprised to know how many million dollar foundations are running websites from the 1990s. Just because they keep on getting away with it.
@@fjdjzfhrsut8063 Names?
@@fjdjzfhrsut8063 time to buy a spaceship and live in mars all for 99 cents
HAHAHHAHAHAH yeah
Chase Bank and John Deere
Amazing, now time to go get them Bugatti's for 25 cents a pop and sell em for 200 stacks of 💰 ben franklins lol
😂😂lol
FBI OPEN UP
As a full stack Software Eng: laughing in server side validation
Precisely
if any dev on my team sends the price instead of the item-hash he will find himself without a job in zero-time.
Not a full stack dev or anything like that. Just a nerd, and laughing hard.
i clicked this just to comment something similar.. haha 😂
Lmaooo ikrr
I am a web developer for a content publisher, not for e commerce, but even I would know better than to use any numbers sent by the browser in a transaction. Any price numbers I would send to the browser would simply be for the user to look at. I'm always going to use my numbers from my database and not an easily tampered with POST from variable.
@MOTIVATIONAL WALLAH - PHYSICSWALLAH Yeah sure buddy. Why don't we call the cops and let them know that you and I plan to do crime stuff together buddy.
lol.
@MOTIVATIONAL WALLAH - PHYSICSWALLAH annoying
@@PhilLesh69 Damn
humm cop caller snitches get stitches found in Ditches
@@PhilLesh69 buddy headass kid. Yung meza God bud
instead of the delivery guy , the cops showed up.....? I NEED A REFUND NOW !!
😂😂😂
😂
Lmao
😂
Interesting how 99% of hacking tutorial just doesn't work in 99% of websites and they say "How hackers does this or that"....
Hahaha FR
well. They do work. Only thing you left to figure out is how to make it work.
Exactly
Ik what works tho
in order to find hacking tutorials, you need to go to the dark web, not youtube
This only works if the web app doesn't verify the price on the server-side which rarely happens in decent sites.
this have 1% chance to work lol
@@lewyathan Yeah, well it depends on the developer... If it's a developer you found on some site and he only cares about the money he wouldn't care about security thus it'll probably work... It could also be an amateur developer and it'll might work
Please what website can this work on
@@anonymus3286 probably non of the websites that you use... If you are pen testing a website and they have a payment system it's worth giving it a try but the vulnerability could come in different forms. I think someone found something similar in "ikea". Try to search up "ikea parameter tampering"
But it government sites and many, it is still like so
I've never calculated anything client-side other than for visual display. Who does this?
More ppl than you'd think
Im betting no-one. Having the knowledge to POST but not knowing how to deal with that POST doesnt make any sense.
@@ihateevilbill frequently developers try to put as much stuff on the front as possible to avoid network and memory overhead on the backend but they mis something and a design flaw is born that way.
@@vaja5357 i always put security a bit over performance, tho i still make sure i don't write any bullshit code. but storing prices on the backend is a must do. A way to avoid performance issues is to put a cooldown, or use multiple servers and f.e. have nginx put clients to the currently less full server. my friend had one server and tried to put so much security (even tho hes just an amateur), that he himself forgot how some of his scripts work, which caused them to conflict quite a lot, no optimization whatsoever (he didnt even minify the js code). once he said he's done i tried finding vulnerabilities: the conflict between the scripts made so much sinks, that it's been very easy to find an element which could either cause SQL injection, path traversal, and on top of that, he completely forgot about XSS
me
Moral of the story: never trust the client-side.
thanks for the summary!
69 likes, *nice*
@@bigdanslivestreams4060 🗿😂
Every kid seeing this be like : Yes this is what I want, now I can get Roblox for free
fr LMAO
This wouldn't even work on sites i build for my university projects 😂😂
How to use this hack on your Udemy course..
it wont work anywhere he it will work if any developer was drunk and was wrote the data base and payment gateway
@Random Saga Bro DM me on insta
asurhere2021
@@nikhilkatte2715 hahahahhaha xD
@SIDDHARTHTM of course
This is happening because the backend dev/s are not validating the input coming from the frontend which a 10 years old can do. It is crazy that such devs getting jobs in the industry...
It should verify the transaction from the front end to the backend and see if the amount is equal to the transaction
This becomes shitty if the developer has done a server side check while order placing.
Me seeing HTML writing the first 10 secs: Please don’t tell me this is the guy who hacked NASA with HTML😂
@Ali 2JZ let’s give him a big round of applause guys👏👏👏
Weird Al does them all.
My Bank Card : No way To buy this...
Me : Open Google Inspector..
My Bank Card : Ohh Shit......
Mr Loi Laing you are a wonderful person because you spread knowledge to me, someone who wants to learn, thank you from the heart
Even so, wouldn't the seller just realize he got paid $299 for a $2999 TV and reject the order ?
I think dont cause i think you hack from 2999 to 299 i think te sever will think that you pay 2999
Yeah, it probably worked in early 2000s late 90s with the early machines and software code but now if you edit and change, hyper text it just go back to standard text
I tried it this trick on amazon and now i am in jail !
Wondering how i commented if i am in jail ?
I just stole the officers phone when he was performing weekly inspection of my cell !!
it does not work in any website the majority are protected against this flaw I took the trouble to test thanks for the work you do
I guess PS5 doesn't have to be so expensive after all 🤭♥️
Instructions unclear, the UPS driver put me in handcuffs and I’m at the police station now
@mitchelleintroducerogersfloyd1 what a generous baker! 🍞👨🍳
It's About time I get that New Rolls Royce Boat Tail😂
Do you think any shop would send the item out without checking the price and payments? I don't thinks so
No modern website worth their salt would ever forget to verify the transaction.
*To solve the problem php is the only king! before response check the price from db.*
Does this work on amazon or steam?
I'm confused because will this work or just as soon as you ship it to your house the cops show up?
Most likely no one will know unless an admin or someone checks it manually which is unlikely especially if the website gets alot of purchases but this video is only a demo to find a bug like this in the wild will be a bit harder and little different but same idea and concept :)
@@salvathir f
@@salvathir j
As a full stack developer, any good website would not allow this to happen?? i hope??
Time to download some free packs i guess!
only real hacker do "Right click , inspect element and then just change the money" :D
Manipulating the server request is called Hacking 😂
Then, i think all the developers are hackers 🤪
This website it's like is built by someone who just learnt how to build websites with skillshare/udemy courses
It might not work on 100% of websites, the last and current place I worked, both were sending amount from the frontend which directly redirected to payment gateway. So if you ask me it does not hurt to check for this on all websites you use.
but what is the way t prevent it? I will use this knowlegde to help others not to destroy them.
And that's why you check the prices in the backend :)
He edit request before it post to the backend. but if it have a backend validation. It shouldnt be a problem. .hmmm. Im tempting to try it.
Html tampering it's based on the manipulation of parameters exchanged between client and server in order to modify application data
How does this works in real life? It's interesting..
*MESSAGE☝️☝️☝️☝️THEY WILL HELP YOU OUT*
Now i am going to buy iphone 12 pro max and macbook air
id be very shocked if u find a site that allows you buy a new iphone.Title is click bait in affaid.
I knew this was possible when I recovered my stolen Bitcoin last year using a hacking software.
I still have it with me and it still works
Can you get tracked by doing this
it only reflects the front end.. but it wont reflect the back end... if the price is comming from server side... then it wont work. you need to attack to the database. Now a days it doesn't work if the website is built by framework. Cause they are very secure
You’re saying that you can buy anything for free on Amazon?
After u refresh the page, the price will reset to it's original value
😅😅😅 you're a pro
How to make video about something that works only in 0.1% and earn some money. Great tutorial.
Sir could all this be done in burp suite
Seek HELP from ZELLHACK1 on insta he’s so reliable who got that of my company fixed
no sir we check it on the server side (in controller) so your request gonna be rejected
This would not work in any real world e-commerce application, information about a product or cart content would be stored on the backend and handled there, the frontend is just representational.
Loi liang yang how can i attend your ethrical hacking in udemy
How much it cost?
Here you go: www.udemy.com/course/full-ethical-hacking-course/
@@jimmyjv7723 I will give u free if u want
how do you defend?
Sorry for late response, To defend you simply do server side validation of the purchase.
The guy in the video did it on client side, It didn't got any server side to check if his purchase was valid so that's why he bought it that easily.
How to buypass security and view paid videos on websites
How do I bring webgoat to the site or brin the site to the webgoat
Seek HELP from ZELLHACK1 on insta he’s so reliable who got that of my company fixed
Shall I try this? 🥺
this won't work, you are just tempering with your own browser.
don't forget it have to be validated in the server side
Two boys were doing this but unfortunately they caught by police 😅
youtube casually recommending this like ur supposed to know how to hack lol
pretty fun i guess
How does a hacker use windows
Bill Gates? Jeff Bezos? Elon Musk? Move out of the way, now I will be the richest man alive, EVER!
hello, i have subscribed to your channel but whenever I want to watch the videos it says members only. please how can I get access to those videos, is there a way to register? please your videos are really helping
Here you go: ua-cam.com/channels/1szFCBUWXY3ESff8dJjjzw.htmljoin
@@LoiLiangYang thanks alot. And your video is really helpful. God bless you ❤️.
I have subscribed, but still saying join this channel to get access. I wish I can send a screenshot
@@LoiLiangYang I need your contact or email
Is it true video? Is it Same to use in personal mobile?
Who writes code like this? This may have worked back in 2000 when the web was young, and I have my doubts because this is clearly bad design. These transactions are done by product id.
It had no longer work on this technique. All the legit websites had already have controlled hacking system. Even though, you have done the same this way, but it’ll never work on this way anymore.
why can't i join to watch these member only videos? how do i go about it coz i can't see a join button
ni juu wamerestrict geographically, jaribu na vpn
The serve side cant verify that transaction.
How to get the web goat to the store your trying to use iron
Hi I have a question. If i want to do them types of fraud, how can I do it without being traced?
If I do whatever you said in this video
So can i buy this TV at 299 dollars..???
man this reminds me of kids who remove password field for fb and click sign in and show that this is how its done
i do not see join button on your channel. plz guide
Where was the "how to defend" part???
How to download pdf books ( not free ) ?
Does this really work?
But wouldn't the seller see that you did this and pursue you for this?
Learn web dev js very helpful in every field ,also now i know i will never trust client aand will validate the server
Came here too look to get a concept that what people don’t understand you get the concept so you know what to do
what is that
So i can buy stuff for free now?
Please what site can I shop with this your tutorials sir
It's a vulnerable java based application "Webgoat".
@@kumarsahab3828 bro can you help me?
@@rifatneily Yes brother tell me
im classic person n not programer..if i sell something n not match with the price..i will not send my stuff to buyer,,,simple
Loi I really need your help what should I do after that
Who the heck send the price instead of product id and qty?
Oh men!!! I'm worried about my stores is this bug work for Shopify stores as well?
no, it doesn't work on shopify, your store is much secure with shopify, so just chill
@@darshaim Thank you bro
Shopify wouldnt exist if this was possible, or any other e-commerce solution. This affect only to the one that create their own e-commerce systems, they are in for a great awakening, this attack is not level 0
Holy SHIT it fucking works just bought a motorcycle for $1200 instead of 12,000 the truck will be here tomorrow with my bike I do t know if I’m going to be able to keep it but as far as the exploit goes it worked for me hopefully I will be riding a new motorcycle tomorrow I will comment when bike arrives to my house if it comes I don’t know how they would not be able to notice over 10,000 missing from the amount they received for the bike
did it work ?
Can I use this to buy Hookers at a discount?
Is it illegal if we try it?
Btw this still works on many German (Familienunternehmen) sites
Can i do it on my android smartphone?
it didn't even work
Sir make video on full website hacking
how do i get web goat?
Which browser is that?
are there really shop websites out there that post the price?
Epic videos will be not available at the right times.
thanks for teaching me how to do it
what version of kali linux is that