“One request. One dollar. And full access to what should’ve been locked behind a gate of validations.”
I wasn’t hunting for bounties that day.
Just cruising through a web app — xyz.com, a domain and web hosting platform. Neat UI. Clean backend. Featured domains glowing with price tags:
$239, $119, $419...
And yet, something felt… unwatched.
So I added a domain worth $239 to my cart.
Burp Suite ready. Intercept on.
Just another day of harmless recon.
Until I saw this:
"price": 239.00In plain text. Editable. Sitting there.
No signature. No hash. No server-calculated invoice ID.
Just… trusting me.
Out of sheer curiosity — and pure ethical intent — I changed it:
"price": 1.00Forwarded the request.
Paused.
Expected a 403. Maybe a 422. Maybe an angry modal saying “Invalid price.”
Instead…
🟢 Redirected to the next screen.
🟢 Price reflected: $1.00
🟢 PayPal form appeared, asking for my email.
🟢 Final confirmation page… showing me that sweet $1 button.
I could’ve bought a premium $239 domain for the price of a chai.
Legally. On paper. With full backend approval.
But I didn’t.
No exploitation. No purchase. No fuzzing.
I stopped right there.
I took screenshots. Saved request logs. Documented the entire flow.
Then wrote a responsible disclosure report and sent it to xyz.com on September 5th, 2024.
⏳ No reply.
🧊 No fix.
🧟 The bug still lives — in production.
For nearly 10 months, this critical logic flaw has slept like a ghost in their systems. Waiting for someone less ethical to come along and exploit it at scale.
This wasn’t just a “UI mismatch” or a misconfigured price tag.
This was a complete collapse of server-side validation:
- No integrity check on critical purchase values
- No server-enforced pricing logic
- No protection against direct tampering
An attacker could:
- Buy 100s of domains at $1 each
- Resell or park them
- Mass abuse domain-based services
- Cause irreversible financial damage
All with one intercepted request.
Let this sink in:
If your server trusts the client, your business model is already hacked.
Your price logic, permission models, coupon codes, even tax values — must be re-validated server-side. Every. Single. Time.
✔️ Didn’t misuse
✔️ Didn’t leak the exploit
✔️ Gave them nearly a year
✔️ Tried again to follow-up — no response
I’m sharing this now not to shame, but to educate.
Because if a whitehat finds it and tells you… and you still ignore it… the next one might not be so kind.