How I Found a Ticket Booking Bug That Allowed Me to Travel Almost for Free in TNSTC

By /

Listen to this Post

URL: https://medium.com/bugbountywriteup/how-i-found-a-ticket-booking-bug-that-allowed-me-to-travel-almost-for-free-in-tnstc-2c7aa23aebf6

Practice Verified Codes and Commands:

  1. Setting Up Burp Suite for Intercepting HTTPS Traffic:

– Install Burp Suite and configure your browser to route traffic through Burp.
– Use the following command to set up a proxy:

export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080

– Start Burp Suite and configure the proxy listener on port 8080.

2. Using Genymotion for Android Emulation:

  • Install Genymotion and set up an Android virtual device.
  • Use the following command to start Genymotion: 
    genymotion
  • Configure the Android device to use Burp Suite as a proxy by setting the proxy settings in the Wi-Fi configuration.
  1. Intercepting and Modifying HTTP Requests with Burp Suite:

– Capture the HTTP request using Burp Suite.
– Modify the ticket price parameter in the intercepted request.
– Forward the modified request to the server.

4. Verifying the Vulnerability:

  • After modifying the ticket price, check the response from the server.
  • Verify that the ticket is booked at the modified price.

What Undercode Say:

The discovery of the TNSTC ticket booking bug highlights the critical importance of securing financial transactions in applications. This vulnerability, which allowed users to book tickets at a fraction of the actual cost, underscores the need for rigorous security audits and robust parameter validation mechanisms.

In the realm of cybersecurity, such vulnerabilities are often exploited through techniques like parameter tampering, SQL injection, and cross-site scripting (XSS). To mitigate these risks, developers should implement input validation, use secure coding practices, and regularly update their applications to patch known vulnerabilities.

For those interested in exploring similar vulnerabilities, here are some useful Linux and Windows commands:

  • Linux:
  • Use `nmap` to scan for open ports and services: 
    nmap -sV <target_ip>
  • Use `curl` to test HTTP requests: 
    curl -X POST -d "param1=value1&param2=value2" http://example.com
  • Use `tcpdump` to capture network traffic: 
    tcpdump -i eth0 -w capture.pcap

  • Windows:

  • Use `netstat` to display active connections: 
    netstat -an
  • Use `ping` to check network connectivity: 
    ping <target_ip>
  • Use `telnet` to test TCP connections: 
    telnet <target_ip> <port>

Regular security audits, penetration testing, and adherence to secure coding standards are essential to prevent such vulnerabilities. Additionally, organizations should establish Vulnerability Disclosure Programs (VDPs) to encourage ethical hackers to report security issues responsibly.

For further reading on secure coding practices and vulnerability discovery, consider the following resources:
OWASP Secure Coding Practices
Burp Suite Documentation
Genymotion User Guide

By staying vigilant and proactive, we can contribute to a safer digital environment and protect critical systems from exploitation.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: