Uncovering a Parameter Tampering Vulnerability in Event Expo Ticketing System

Parameter Tampering Attack

Summary:

The Parameter tampering attack relies on the manipulation of parameters changed by the user so as to change application information like user credentials and permissions and amount of product, etc. Usually, this data is passed in post request or in hidden kind fields.
We will be looking into price manipulation vulnerability that is almost present in every online shopping carts and payment gateways these days.

Introduction:

While casually scrolling through my Instagram feed, I stumbled upon an advertisement for a business event expo. Intrigued by the event, I decided to visit the website to gather more information about it. Little did I know that this casual browsing would lead me to uncover a critical security flaw in the event expo’s ticketing system.

Discovery:

Upon landing on the event expo’s website, I noticed that tickets were available for purchase. As a security enthusiast, I couldn’t resist the urge to inspect the underlying mechanisms of the ticketing process. After some preliminary exploration, I identified a potential vulnerability stemming from a misconfiguration between the webpage and the payment gateway.

Exploitation:

Driven by the curiosity to test the vulnerability, I attempted to tamper with the ticket prices. Using simple manipulations, I successfully modified the ticket prices and proceeded to initiate the purchase process. To my surprise, the server responded positively to the altered prices, confirming the presence of a critical security loophole.

Proof of Concept:

While intercepting the traffic, locate the ticket price, which should be highlighted in the intercepted data.Modify the ticket price from Rs 2000 to Rs 10 in the intercepted request. After making the change, forward the modified request to the server.Proceed to make the payment for the modified amount (Rs 10) using the payment QR code displayed on the screen.Verify that the payment was successful, as indicated in the image provided.Confirm that you have received the receipt details and the booked ticket reference number in the email, as shown in the image below.

Reporting:

Recognizing the severity of the issue, I promptly reported my findings to the event expo’s technical team. I provided detailed steps to reproduce the vulnerability and emphasized the urgency of addressing it to prevent any potential exploitation by malicious actors. Understanding the gravity of the situation, the technical team acknowledged my report and assured me that they would take immediate action to rectify the vulnerability.

Remediation:

Don’t rely on controls which depend on the browser — don’t depend on client-side validation and storing in the browser.When the product is added in the cart calculate md5 sum or any hash for the total request and compare with the backend so that if any manipulation happened in the request for any value it is different from server’s hash.Validate input for improper characters and data types. Specifically for this case, we can keep a check for quantity with negative range. Keeping range from 1–10 since the max value is defined we can define minimum value. Always define the maximum as well as minimum value that the application will accept.

Conclusion:

My accidental discovery of this vulnerability serves as a reminder of the importance of rigorous security testing in the development and maintenance of online platforms. By promptly reporting the issue to the concerned authorities, I hope to contribute to the enhancement of the event expo’s security posture and prevent any potential security breaches in the future.

Reference:

https://www.owasp.org/index.php/Web_Parameter_Tampering

https://www.cgisecurity.com/owasp/html/ch11s04.html

https://hackerone.com/reports/403783

https://medium.com/@chawdamrunal/what-is-parameter-tampering-5b1beb12c5ba

https://yassineaboukir.com/blog/price-manipulation-vulnerability-in-e-commerce-platforms

Happy Hacking 😊