How i Bought VPS, Hosting, Domain only $0.01 | Bug Bounty

Helo Guys My Name is Rafli Pasya.
So This Story gonna Tell you how i Found the Simple Vulnerability with Huge Impact .
So okay let’s start My Story.

btw Guys i found this kind of vulnerability on 2 different Local Site.
1. ( Online Store )
2. ( Web Hosting Service )

That day I wanted to buy RDP for Recon. I visited the website, there I saw the “Paypal Checkout” button. Usually Online Store only sends POST data to Paypal(/cgi-bin/webscr) including the amount that needs to be paid, I definitely can change the price.

Note: It’s Sometime Work with Braintrees Payments if there is no Filter / Validator After / Before Transaction.

The send POST request to Paypal like this :


if any hacker finds this request they will change the price and tax amount like this :

After Paid $0.01 I got an email from that I paid the payment

Image for post
Image for post

I clicked The “Confirm My Payment” button then i saw my Order Changed To “Paid”.

The Seconds Bug I found at Hosting Service Provider.
This Website Didn’t Check Total Amout i have been Paid.
They Just Checking The Trx ID. if success they will Activate my Hosting…

Note: This Vulnerability Fixed on WHMCS, any Hosting provider using WHMCS is not vuln anymore because they check the Amount i paid.
if less than the total bill I have to pay off again.

Image for post
Image for post

I paid $0.01 For Rp 1.226.954 ( around $90-&95 )

I immediately Report This issue To Them, I Got Nice Bounty From Hosting Provider, the Online Store Give Me less xD ( Better Then not )

1 Nov 2019 = Found This Issue on & then Report it.
2 Nov 2019 = Found This Issue on & then Report it.
3 Nov 2019 = Bug Fixed & Awarded $500 from
4 Now 2019 = Bug Fixed & Awarded Rupiah 1 Million from

Thx For Reading this Write Up Guys !
Remember ! Always Read any Bug Bounty Write up on Pentester land . it’s usefull to help you

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store