How I Hacked IELTS Exam for FREE🤑🤑
Good day ppl! This is Anudeep Vysyaraju, with a new write-up on how I bypassed the payment gateway of the IELTS IDP website and made my payment successfully without paying even a single penny. Also sorry for deleting my last write-up, No more deletions and let’s hack together!!
Let's get started…
Few lines about Payment Gateway:
When we buy something online, the last part will be completing the payment. Websites use multiple methods to make this done, like you may have seen some companies like Payu, Cashfree, Paytm, Razorpay, etc., services while doing the process.
Let’s get into the scene!!
Many of my friends are going for MS, so the first 2 words I listened from their mouths were IELTS and GRE 😂😂 So I taught that I should give it an attempt and opened the IELTS website. After checking the IELTS website then I came up with an idea to check these websites for vulnerabilities.
This is how my hunt started on this website for vulnerabilities😈😈
Let’s move into Payment Bypass:
So quickly I fired up the burp and started intercepting the requests, then noticed that the site was using Payu as the payment gateway. Firstly I tried parameter tampering on the price value, but nothing worked out as it was having a checksum validation at the end. But when I noticed the requests and responses during the process, Then I observed some false parameters like “cancel”, “failure” and “initiated”. So I quickly started changing these false parameters to positive parameters.
For changing those false parameters to positive parameters I canceled the transaction,
After canceling the transaction, the request will be like this
Here I changed “cancel” to “success”
Now I forwarded the manipulated request to the server and I got this….
In the above picture, we can see the parameters called “status=pending” and “unmappedstatus=initiated”, these are the false parameters now I changed them to “status=success” and “unmappedstatus=captured”
Now you can observe the manipulated parameters in the below picture.
After the manipulation of parameters, send this request to the server. Now you will see the acknowledgment request.
I came to know that acknowledgment means the server accepted the payment🤑🤑🤑
Now forward this acknowledgment request to the server and finally here it is……
Booom!! Finally, the exam slot was booked🥳🎊🎉🤑
Again the vulnerability was reported to IELTS IDP and British Council but there has been no response from any of them.
Before a few days, I checked the same vulnerability whether was patched or not then I came to know that vulnerability was patched by the IELTS IDP team.
So No Recognization, No Bounty, and No Appreciation, and this write-up is shared for Knowledge transfer purposes only.
Also special thanks to Mayur Parmar, Hemant Patidar, Tarun Tandon, and Pavan Kumar Chinta
Hope you enjoyed this write-up and gained something good. Visit my profile for doubts and guidance ping me on Linkedin.
Thanks and Byee… Happy hacking👨💻😈
