Buy Any Movie Tickets for Just Rs 10 (IDOR Vulnerability)

Hello Hacker's…

I know that you people like price tempering vulnerability very much and for those who have not heard about it, I am going to tell you everything in detail further.

About Price Tampering Vulnerability

Price manipulation, also known as parameter tampering, is a vulnerability that can occur in e-commerce applications when the server doesn’t validate user input or places too much trust in client-side validation. This can cause the server to miscalculate prices, which can allow attackers to order items at a low price or even for free. For example, an attacker could buy an item for ₹1 and get a full refund, or even buy an item for ₹1000 for ₹1.

To maintain privacy I have hidden the website name as it is against policy to disclose the domain.

Coming back to the point, first I opened the website in which I had found the vulnerability of price tampering.

I chose the movie of my choice and started choosing the movie time This movie wasn’t even released so I had to watch that movie in first day first show.

I chose a recliner seat because watching a movie is more fun with recliner seat That seat was costly but I was going to buy it for Rs 10 rs.

When I had selected all the things, then the option of Book Now came, then I opened BurpSuite and intercepted it by ‘Book Now’ Button.

After that I changed the amount from 1027 to 10 and forwarded this request and turned off intercept

And then I was shown that thing after seeing which my reaction was something like this

And then I booked a ticket up to Rs 1027 by paying Rs 10.

TIPS:- Always capture the request when you are making a payment

Thanks for reading📖

Follow for more about bug bounty and cyber security🔒