I hacked and Purchased the Premium Account at Rupees

Hi guys here I am back with one more finding. I found a parameter tampering in bugcrowd private program let us assume the program name as https://dash.com I was playing with that site, That time I wasn’t aware of the account takeover and SSRF. I found the bug when I was in final year of engineering. My college name is Vemana Institute of Technology Bangalore. I am very proud to say that I am Vemanite, This college taught me lot. Every morning I used to sit alone on college pavilion. I was thinking what to hack today. That time I was using the free WI-FI in my college. I will not disclose the Wi-Fi name for security reason. Everyday I was using Wi-Fi which is available for 20 min only. After that It will ask to pay and use. I planned to buy 1GB. Suddenly I got an idea to hack that Wi-Fi. I successfully hacked and purchased 10gb at 1 Rupees. After that I searched the security team to report the issue. Unfortunately I couldn't find the security team for that Wi-Fi. After that bug I thought why cant I check this type of bug in the bugcrowd.

I selected one program in bugcrowd and There I found the premium account activation. For premium account we should pay 599 rupees. I fired up my burp suite and capture the request and modified the payment value from 599 to 1 Rupees and Forward the captured request.

boom……..now the site will take you to the payment portal to pay 1 rupees, quickly I paid through the amazon pay and I did the payment successfully.

I reported the issue to the security team. They responded and accepted as the P2 bug and After 2 months again security team changed the priority to P1 and I was like

They rewarded me a points because this program will provide only points and Hall Of Fame

Thanks for Reading

Regards

Rakesh

Reported 28 Sep 2019

Triaged 30 Sep 2019

Rewarded 03 Oct 2019

fixed 25 Nov 2019