You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md
+40Lines changed: 40 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -236,6 +236,46 @@ Testing payment functionality on applications can introduce additional complexit
236
236
- Keeping a record of any orders that are made so that they can be cancelled and refunded.
237
237
- Not placing orders that can't be cancelled, or that will cause other actions (such as goods being immediately dispatched from a warehouse).
238
238
239
+
#### Source Equals Destination
240
+
241
+
If the source of the transfer is equal to the destination, it may result in simply adding value to the account without any actual transfer occurring. This scenario should be tested to ensure that the application prevents such operations.
242
+
243
+
#### Two-Step Payments or Transfers
244
+
245
+
For payments or transfers requiring two steps (initiation and confirmation), ensure that checks are performed during both phases. For example:
246
+
247
+
- Initiate two separate payments.
248
+
- Confirm them individually.
249
+
250
+
Verify that necessary checks, such as daily limits or balance validations, are performed during the confirmation phase. Failure to do so may lead to negative balances or bypassing limits.
251
+
252
+
#### Adding Items After Payment Initiation
253
+
254
+
Test the scenario where a payment is initiated, and items are added to the cart afterward. Confirming the payment may result in marking the added items as paid, which could lead to inconsistencies in the payment process.
255
+
256
+
#### Race Conditions
257
+
258
+
- Concurrent Payment Confirmations
259
+
Initiate multiple confirmation requests (e.g., `POST /confirm-payment`) simultaneously for the same order using tools like Burp Intruder or custom scripts. This may result in the same order being processed multiple times.
260
+
261
+
- Callback Replay or Flooding
262
+
Intercept the gateway’s callback request (e.g., to `success.php` or `/payment/callback`) and replay it rapidly in parallel. If the backend lacks proper idempotency checks, this can:
263
+
- Trigger multiple order fulfillment events (e.g., shipping, credits).
264
+
- Mark the same order as "paid" multiple times.
265
+
- Cause balance inflation or inventory errors.
266
+
267
+
#### Multi-Input Systems (Bulk Payments)
268
+
269
+
In systems that support bulk payments, test scenarios where the total amount remains positive, but individual inputs include negative values. For example:
270
+
271
+
```plaintext
272
+
account_id_1 = $5
273
+
account_id_2 = -$4
274
+
Total = $1 paid, but $5 credited
275
+
```
276
+
277
+
Ensure that the application correctly handles such cases and prevents exploitation.
278
+
239
279
## Related Test Cases
240
280
241
281
-[Testing for HTTP Parameter Pollution](../07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.md)
0 commit comments