> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/industry-based-checklist/testing-financially-oriented-wepapps.md).
# Testing Financially-Oriented WepApps
TOCTOU / Race-Condition Tests
* [ ] Attempt concurrent transactions (e.g., two simultaneous money/points transfers) to see if checks are bypassed.
* [ ] During checkout: open payment page, then from another tab/session modify basket or amount and return to pay — verify the final transaction reflects correct state (Deposit process when an application can hold user balances).
* [ ] After payment completion: attempt to modify the order (items, quantity, details) and see if changes are allowed without fresh payment/validation.
Parameter Manipulation Tests
* [ ] Price Manipulation: adjust hidden/posted “price” field (e.g., negative values, 0, manipulated discount) and verify final price is correct.
* [ ] Currency Manipulation: change currency parameter in payment request (if multi-currency supported) to a lower value currency and check for inconsistent credit.
* [ ] Currency Manipulation: In the Provider Itself
* [ ] Shipping Address / Posting Method Manipulation: modify shipping address/post method late in checkout (or after payment page loaded) and verify cost/tax adjustments are validated.
* [ ] Additional Costs Manipulation: test gift-wrap, expedited shipping, other cost-adders – see if they can be removed or manipulated to reduce cost improperly.
* [ ] Response Manipulation: intercept the server response or third-party payment callback and attempt to manipulate it (e.g., change “paid” status) and verify backend rejects tampered responses.
* [ ] Repeating Input Parameters: send duplicate parameters (e.g., amount=2\&amount=3) or weird arrays and check how the server handles duplicates.
* [ ] Omitting Input Parameter or Value: remove a parameter entirely or send null/empty or malformed (e.g., missing equals sign) and check for unintended behaviour.
* [ ] Mass Assignment / Auto-Binding / Object Injection: send extra parameters (not expected by front end) to see if internal objects get manipulated (e.g., set “due\_date” far in future).
* [ ] Combined Parameter Changes: change more than one parameter (e.g., price + quantity, shipping method + address) to detect logical flaws in combination.
* [ ] Quantity Manipulation: test fractional, negative, zero quantities, very large quantities and verify price and quantity enforcement.
Replay Attacks
* [ ] Replay an encrypted parameter request (or reuse encrypted token) and test if the system treats it as new/valid transaction.
* [ ] Replay a successful payment callback (with same transaction id) and see if the system re‐credits or re‐processes the transaction.
Rounding & Numerical Processing Tests
* [ ] Currency Rounding: deposit/convert currencies (or buy items) where rounding difference is exploited (e.g., $0.20 → £0.1352 → $0.2004) and check for profit behaviour.
- Negative Numbers: test negative values for price, deposit, quantity to see if logic is reversed (e.g., user gets credit).
- Decimal Numbers: test decimal values where integers expected for quantity/price and observe rounding or truncation issues.
- Generic Rounding: deposit e.g., £10.0049 but only £10.00 withdrawn and balance credited incorrectly — repeat many times to verify exploitability.
- Large or Small Numbers: send very large or very small numbers beyond normal bounds and verify validations.
- Overflows/Underflows: test inputs near variable limits (e.g., max int, min int) and check for roll-over behaviour.
- Zero / Null / Subnormal Numbers: test “0”, “0.00”, “-0.00”, “1e-50”, etc and check if system handles them properly.
- Exponential Notation: send numbers like “9e99”, “1e-1” to test parsing and logic bypass.
- Numbers in Different Formats: test “001.0000”, “$10”, “£0”, “-0.00”, etc to verify correct numeric parsing across tech stacks.
Card Number / Payment Card Related Tests
* [ ] Ensure that saved card numbers are not fully displayed during checkout or in HTTP responses; only last 4 digits if needed.
* [ ] Attempt enumeration: test registering duplicate cards across accounts (if site blocks duplicates) to see if card numbers of other users can be deduced.
Dynamic Prices / Referral Schemes Tests
* [ ] If dynamic pricing exists (based on currency, device, referral code, time), submit a price number close (± 0.01) to original and check if unexpected margin accepted.
* [ ] Verify that the dynamic pricing logic is properly signed/cryptographically protected so user can’t manipulate input.
Discount Codes / Vouchers / Reward Points / Gift Cards Tests
* [ ] Earning More Points/Cash than Price: purchase with points, then verify if points are earned in the same transaction, resulting in net gain.
* [ ] Using Expired/Invalid/Other Users’ Codes: apply expired or someone else’s codes to see if system rejects correctly.
* [ ] Refund Abuse: buy item, refund it, in between spend points or get free items — check full reversal of associated rewards.
* [ ] State & Basket Manipulation: modify basket after discount calculation (remove items, mix discounted & non-discounted) and check discount still valid incorrectly.
* [ ] Ordering Out of Stock or Unreleased Items: attempt to buy items flagged “out of stock” or “not yet released” to check if order is still processed with discount/exploit.
* [ ] Bypassing Restrictions: test limited-quantity offers, customer-specific offers, one-time vouchers in multiple accounts to verify restrictions.
* [ ] Point Transfer: if users can transfer loyalty points or rewards (e.g., closing account or lost card) test for abuse of transfer + race conditions.
* [ ] Enumeration / Guessing: attempt to guess voucher/gift card codes or loyalty codes for other users; verify code generation randomness/unpredictability.
* [ ] Buy-X-Get-Y-Free: check if cheapest vs expensive items are correctly discounted or if logic allows paying for cheaper and getting expensive item free.
* [ ] Offers/Voucher Stacking: check if multiple promotions (buy-one-get-one, 3-for-2, etc) can be combined incorrectly to reduce cost unfairly.
Cryptography & Backend/API Tests
* [ ] Encryption/Decryption misuse: check if encrypted parameters can be used to shape arbitrary data (replay, manipulate).
* [ ] Downloadable/Virtual Goods: attempt direct object reference (e.g., guess URL of non-free asset) and check if access is restricted.
* [ ] Hidden/insecure backend APIs: discover APIs not exposed in UI (e.g., admin, bulk operations) and test for unauthorized access or balance adjustment.
* [ ] Test data in production: check for debug/test payment endpoints, dummy card numbers left in production environment that can be exploited.
* [ ] Hash/signature concatenation issues: test if signature protects against tampering - e.g., moving part of one parameter into another but same signature.
* [ ] Review cryptography implementation: ensure strong algorithms (avoid custom weak crypto), check for brute-force vulnerability of secret keys.
Currency Arbitrage / Deposit/Refund Tests
* [ ] Verify if different parts of system (deposit API / withdrawal API) use inconsistent exchange rates or rounding rules.
* [ ] Deposit in one currency, withdraw in another, exploit rounding/exchange rate differences for profit.
References
{% embed url="" %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sec88.0x88.online/web-appsec/industry-based-checklist/testing-financially-oriented-wepapps.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.