Vulnerability Summary
The bug was a Business Logic vulnerability that allowed users to access paid features while they were on a free plan.
My name is Ziad Momen Ahmed, a cybersecurity student specializing in Web Penetration Testing, and currently expanding my skills in Mobile Penetration Testing. I have a strong passion for cybersecurity and continuously strive to improve myself and achieve meaningful milestones in this field.
I started my bug hunting journey in July, and today I’m excited to share my first resolved vulnerability that I discovered on a HackerOne program. So let’s get started.
The bug was a Business Logic vulnerability that allowed users to access paid features while they were on a free plan.
I started by exploring the application and breaking it down into its main functionalities. One of the features I decided to focus on was the invitation functionality.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3591764 by ziadmomen
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3507241 by aszx87410
pyus3rThis writeup documents a critical Business Logic Error (CWE-840) discovered in the payment flow of an event-driven e-commerce platform.
Thanks for sharing!
Log in to join the discussion.
Sign In