Zerb0a
Zerb0a
Nov 12 · 2 min read

How i Bought VPS, Hosting, Domain only $0.01 | Bug Bounty

Helo Guys My Name is Rafli Pasya.
So This Story gonna Tell you how i Found the Simple Vulnerability with Huge Impact .
So okay let’s start My Story.

btw Guys i found this kind of vulnerability on 2 different Local Site.
1. redaced.net ( Online Store )
2. redaced.com ( Web Hosting Service )

That day I wanted to buy RDP for Recon. I visited the redacted.net website, there I saw the “Paypal Checkout” button. Usually Online Store only sends POST data to Paypal(/cgi-bin/webscr) including the amount that needs to be paid, I definitely can change the price.

Note: It’s Sometime Work with Braintrees Payments if there is no Filter / Validator After / Before Transaction.

The redacted.net send POST request to Paypal like this :

….&amount=1321&tax=12&….

if any hacker finds this request they will change the price and tax amount like this :
….&amount=0.01&tax=0&….

After Paid $0.01 I got an email from redacted.net that I paid the payment

I clicked The “Confirm My Payment” button then i saw my Order Changed To “Paid”.

The Seconds Bug I found at Hosting Service Provider.
This Website Didn’t Check Total Amout i have been Paid.
They Just Checking The Trx ID. if success they will Activate my Hosting…

Note: This Vulnerability Fixed on WHMCS, any Hosting provider using WHMCS is not vuln anymore because they check the Amount i paid.
if less than the total bill I have to pay off again.

I paid $0.01 For Rp 1.226.954 ( around $90-&95 )

I immediately Report This issue To Them, I Got Nice Bounty From Hosting Provider, the Online Store Give Me less xD ( Better Then not )

Timeline:
1 Nov 2019 = Found This Issue on redacted.net & then Report it.
2 Nov 2019 = Found This Issue on redacted.com & then Report it.
3 Nov 2019 = Bug Fixed & Awarded $500 from redacted.com
4 Now 2019 = Bug Fixed & Awarded Rupiah 1 Million from redacted.net

Thx For Reading this Write Up Guys !
Remember ! Always Read any Bug Bounty Write up on Pentester land . it’s usefull to help you

Zerb0a

Written by

Zerb0a

Blogg : https://raflipasya19.blogspot.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade