A business logic flaw. A Burp Suite intercept. And the first Hall of Fame of my life.

I was not supposed to find this.

I had just finished a PortSwigger lab on business logic vulnerabilities. Watched one YouTube PoC. Read half a blog post. That was the extent of my expertise. I was a student with a Kali VM, a free Burp Suite license, and genuinely no idea what I was doing in 2024 .

I opened a random website to practice. Not a dedicated bug bounty program. Just a website I wanted to poke at.

That random website turned out to be an enterprise business management platform used by corporations across the globe.

The browser tab showed a conference booking summary: ₹30,000 for a single premium seat. July 2024. The kind of ticket someone books on a company card without blinking.

And within an hour, I had a ₹30,000 premium conference ticket in my inbox — for exactly ₹1.

What Business Logic Vulnerabilities Actually Are

Most beginners go straight for XSS and SQLi. They scan everything, get nothing, and quit.

Business logic flaws are different. There is no injection. No payload. No CVE to reference. The application works exactly as designed — the attacker just uses it in a way the developers never imagined.

Price manipulation is one of the oldest and most embarrassing examples. The server calculates a total, sends it to the browser, and the browser sends it back during checkout. If the server does not re-verify that total server-side before charging — you control the price.

Simple idea. Devastating in practice.

The Target

The platform was hosting registrations for a major conference. Premium seats priced at ₹30,000 INR.

I am not naming the domain. What I will say: this was not a small startup. It was a widely-used corporate ERP solution with an enterprise client base. The kind of platform where a single registration bug has real financial consequences at scale.

I picked it randomly. I was just looking for something to test.

What I Did Inside Burp Suite

I enabled intercept, filled out the registration form, selected the highest-tier premium ticket, and clicked “Proceed to Pay.”

Burp Suite caught the POST request before it hit the server.

In the request body, I could see the pricing parameters sent as plain text:

confrence_total_base_fare=30000
default_discount=80
confrence_sub_total=6000
confrence_sub_total_gst=1080
confrence_total=7080
isvalidcoupon=0
coupon_code=

The server had calculated the subtotal and GST. The client was now sending that calculation back. Including the discount percentage. Including the final total.

The server was trusting numbers it had sent to the browser — numbers the user could edit.

I did not overthink it. I changed default_discount to 100 and confrence_total to 1.

Forwarded the request.

The payment page loaded. Total Amount Payable: INR 1.00.

I stopped. Stared at the screen. Refreshed.

Still ₹1.

I had no plan beyond this point. I had just been practicing. But the number on screen was real.

The Part I Did Not Expect

I want to be honest here. I did not think it would go through.

I selected UPI as the payment method. Paid ₹1 from my account. Hit confirm.

The site asked for my personal details — name, phone number, address — for the entry pass and conference swag. I filled everything in.

Then the confirmation landed.

A full conference registration. Premium tier. ₹30,000 seat. Charged ₹1.

The system had issued a valid ticket.

Writing My First Bug Report

I had never written a bug report before. I did not know the format. I wrote what I could: steps to reproduce, the request, the screenshots, the confirmation email as proof of impact.

I sent it to the platform’s responsible disclosure email.

The response came fast.

They acknowledged the report. Fixed the vulnerability. And added my name to their Hall of Fame.

My first valid bug. My first Hall of Fame. 2024.

What the Server Should Have Done

The fix is not complicated in hindsight.

Never trust client-supplied pricing data. The server must recalculate the total independently on the backend before processing any payment. The discount, subtotal, GST, and final amount should all be derived from the server’s own records — not from parameters in the POST body that any user with an intercepting proxy can edit.

Input validation on price fields would have caught a ₹1 total for a ₹30,000 ticket instantly. A simple sanity check: if confrence_total does not match the server's own calculation, reject the transaction.

The vulnerability existed because the developers trusted the client. Clients should never be trusted with money.

What This Bug Taught Me

I had read that business logic vulnerabilities were underrated in bug bounty. I did not believe it until this moment.

No fancy exploit. No CVE chain. No reverse engineering. One intercepted request, two parameter changes, and a global enterprise platform had a confirmed financial flaw.

The gap between reading about a vulnerability and finding one in the wild is smaller than you think. The only thing between them is the decision to actually test

If you are a beginner: start with business logic. Learn Burp Suite intercept before you learn payloads. Understand how data flows between client and server before you try to break the server itself.

The first valid bug is not about skill. It is about curiosity applied consistently.

Mine cost me ₹1 and about an hour of actual testing.

If this was useful, follow — more coming.

Responsible disclosure note: This vulnerability was reported directly to the platform through their responsible disclosure process in 2024. The issue was patched promptly. No data was accessed, no systems were harmed, and no unauthorized access was retained. The ₹1 payment was a real transaction made during testing to verify exploitability with full intent to report.