Upbeat Security
Case Studies
E-commerceSecurity AuditHigh

Cart price manipulation on a DTC brand

Patched in 8 days, no fraudulent orders confirmed
Engagement: 2 weeks

Background

A direct-to-consumer brand had recently relaunched their storefront on a custom stack after outgrowing a hosted platform. The replatforming moved fast — the checkout flow had been rewritten twice in six months. They brought us in for an audit before their holiday sale season.

The finding

During a review of the checkout API, we found the server was trusting the client-submitted unit_price for each cart item at order creation time. The frontend JavaScript calculated prices and included them in the checkout payload. The backend was supposed to validate these against the product catalog — but a refactor had silently broken that validation for items in promotional categories.

Proof of concept:

  1. Add a sale item to cart
  2. Intercept the checkout POST
  3. Set unit_price to 0.01
  4. Submit — order creates successfully at the attacker-controlled price

About 40% of the catalog was affected, including all sale and clearance items.

CVSS score: 7.5 (High) — no authentication required beyond a normal customer account, reproducible 100% of the time.

How we fixed it

We documented the broken validation path with a full code trace: which middleware was called, which condition short-circuited the price check, and which product tag triggered it.

The fix was a three-line change: remove the conditional bypass and always validate price server-side against the current catalog. We reviewed the PR and ran additional tests across all promotional category edge cases to confirm the exploit no longer worked.

We also suggested a secondary defense: flag any order where the total is more than 20% below catalog prices for manual review. They shipped this alongside the primary fix.

Outcome

The vulnerability was patched eight days after our report. A review of order history found no confirmed fraudulent orders during the exposure window, though the flaw had been present for roughly four months. The team added server-side price validation to their engineering checklist and introduced automated regression tests for the checkout flow.

All client details are anonymized. Sector and finding type are accurate.

Have a similar problem?

Tell us about your scope. We'll respond within two business days.

Request a quote