Business Logic Vulnerability in Dell’s Payment API — Reported via Bugcrowd
By Aditya Sunny — Bug Hunter
> “Every secure system deserves honest scrutiny.”
Introduction
In late December 2024, I collaborated with fellow security researcher SubSecure to uncover a Business Logic Vulnerability on Dell Technologies’ platform. The issue, reported via Bugcrowd, exposed how UPI payment amounts could be manipulated via crafted API payloads, potentially leading to payment fraud or bypass.
Though ultimately classified as P4, the bug was acknowledged, triaged, and rewarded by Dell’s security team — validating the impact and quality of our responsible disclosure.
---
Target Information
Platform: Dell Technologies
Program: Dell Application Bug Bounty (via Bugcrowd)
Target: *.dell.com/*
Bug Type: Business Logic / Payment Manipulation
Severity Assigned: P4 (Initially Triaged as P2)
Reward: $100
Status: Resolved
Reported by: Aditya Sunny & SubSecure
Date of Submission: December 25, 2024
---
Vulnerability Summary
We discovered that Dell's UPI payment processing API lacked proper validation of payment amounts. This allowed an attacker to alter the request payload and manipulate the price reflected in the server's response — opening the door to financial inconsistencies and potential fraud.
---
Proof of Concept (PoC)
We initiated a UPI payment with the following crafted payload:
{
"upiPaymentDetails": {
"paymentId": "70f10e98-f618-4c25-ad3b-f1304f2371c3",
"amount": 1.00,
"payCode": "UPI"
},
"nonAppliedPayment": {
"payCode": "UPI"
},
"paymentProcessType": "Register",
"paymentCategoryName": "upi",
"isPaymentAncillaryDataRequired": true
}
Server Response:
{
"upiPaymentDetails": {
"amount": 1.00,
"paymentId": "70f10e98-f618-4c25-ad3b-f1304f2371c3",
"payCode": "UPI",
...
}
}
Even though a modified price was sent, Dell’s API accepted and responded with it. This created a logic flaw where amount tampering could occur without validation.
---
Impact
This vulnerability posed significant risks:
Financial Risk: Potential loss through price manipulation.
Integrity Violation: ACID property (Consistency) was compromised.
Reputation Risk: Errors in payment processes erode customer trust.
---
Timeline of Events
25 Dec 2024: Bug reported by Aditya Sunny & SubSecure
30 Dec 2024: Bugcrowd requested PoC validation
06 Jan 2025: Validated, triaged as P2
10 Jan 2025: Final reward issued ($100, split 50/50)
18 Mar 2025: Bug status marked as Resolved
---
Collaboration Notes
This was a team effort between me (@adityasunny06) and SubSecure. We worked together to analyze, test, and report the vulnerability with detailed PoC, screenshots, and a video proof.
Despite the bug being marked as P4, we are proud of the positive collaboration and the security awareness this has raised.
---
Lesson for Developers
Always validate business logic at both client & server levels.
Implement payment amount integrity checks.
Use audit logs to flag anomalies in transactional data.
Business logic bugs are subtle but dangerous — don't overlook them.
---
My Takeaway as a Bug Hunter
This bug was another reminder that API-level security is just as critical as UI-layer security. Even when everything looks correct on the front-end, server-side logic can be manipulated by those who know where to look.
---
About Me
Aditya Sunny
Bug Bounty Hunter | Cybersecurity Enthusiast | Co-Founder at Cyber Vichar
---
If you liked this write-up, please support by clapping, sharing, or following me here on Medium!
Stay safe, keep hunting.
