How i Bought VPS, Hosting, Domain only $0.01 | Bug Bounty

Helo Guys My Name is Rafli Pasya.
So This Story gonna Tell you how i Found the Simple Vulnerability with Huge Impact .
So okay let’s start My Story.

btw Guys i found this kind of vulnerability on 2 different Local Site.
1. redaced.net ( Online Store )
2. redaced.com ( Web Hosting Service )

That day I wanted to buy RDP for Recon. I visited the redacted.net website, there I saw the “Paypal Checkout” button. Usually Online Store only sends POST data to Paypal(/cgi-bin/webscr) including the amount that needs to be paid, I definitely can change the price.

Note: It’s Sometime Work with Braintrees Payments if there is no Filter / Validator After / Before Transaction.

The redacted.net send POST request to Paypal like this :

….&amount=1321&tax=12&….

if any hacker finds this request they will change the price and tax amount like this :
….&amount=0.01&tax=0&….

After Paid $0.01 I got an email from redacted.net that I paid the payment

Image for post
Image for post

I clicked The “Confirm My Payment” button then i saw my Order Changed To “Paid”.

The Seconds Bug I found at Hosting Service Provider.
This Website Didn’t Check Total Amout i have been Paid.
They Just Checking The Trx ID. if success they will Activate my Hosting…

Note: This Vulnerability Fixed on WHMCS, any Hosting provider using WHMCS is not vuln anymore because they check the Amount i paid.
if less than the total bill I have to pay off again.

Image for post
Image for post

I paid $0.01 For Rp 1.226.954 ( around $90-&95 )

I immediately Report This issue To Them, I Got Nice Bounty From Hosting Provider, the Online Store Give Me less xD ( Better Then not )

Timeline:
1 Nov 2019 = Found This Issue on redacted.net & then Report it.
2 Nov 2019 = Found This Issue on redacted.com & then Report it.
3 Nov 2019 = Bug Fixed & Awarded $500 from redacted.com
4 Now 2019 = Bug Fixed & Awarded Rupiah 1 Million from redacted.net

Thx For Reading this Write Up Guys !
Remember ! Always Read any Bug Bounty Write up on Pentester land . it’s usefull to help you

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store