HBH Con v2 vuln...

Well, I was looking on buying a ticket, and noticed that there was a paypal button on the description page…I viewed the source, and saw in that the amount was right there in javascript. I used a javascript injection (javascript:void(document.forms[0].amount.value=".01");)to change the 15 to 1 cent…then i clicked the paypal button, and the total amount said .01.

Not sure if you meant to do that, or if I am just stupid..but I am just letting you know…

True, but I don't think they'll give you a ticket if you don't pay the full price ;)

This isn't really a vuln to be honest, plus it was originally found in the exclusive membersip page :p

yep, and if i get payments for less than its priced, i reject the payment.

so isnt really a vunerbility, but well done for working it out anyways.:ninja:

It's not a vulnerability on HBH, because there's not a huge mass of orders or anything, so each payment is easily checkable. But Yahoo! has the same vulnerability with GeoCities (the paid packages). My firend used one for nearly free for about 2 months, but wussed out (ok, I would've done the same) and quit.

P.S. - He never got caught :p

Ahh well…at least I found it xD