Grehack2019

Yurevent - 50 Write-up

Category: Web

Points: 50

Author: Le_suisse

Description: AlpacaCon is one of those conferences where tickets are sold-out in minutes. Hopefully, there might be a way to get a ticket at a reasonable price.

We have a simple ticket sale website, however all tickets are sold out! ( alluding to GreHack tickets this year).

Getting the ticket

If we try to submit a purchase with one of the pricy Benefactor tickets, the site responds with an error.

If we look into the POST request and response issued with the request the error says Insufficient funds (you can see the network activity in Firefox Developer tools).

Parameter data we send with request looks like this:

{"total":1500,"tickets":{"0":5},"billing":{"first_name":"eqqn","last_name":"eqqn","email":"grehack@f.tw"}}

We can make an educated guess that the ticket quantity is “0” and that type is 5.

Replaying the request with lower number than 1500 ( ? price?) in this case returns errors. If you don’t select any ticket, you get error No ticket selected .

So when we make ` “tickets”:{“1”:1} ` the requests passes.

{"total":1500,"tickets":{"1":1},"billing":{"first_name":"eqqn","last_name":"eqqn","email":"grehack@f.tw"}}

GH19{frontend_validation_is_not_enough}

Thanks to Le_suisse for posting the source code of the challenges, so I can make the write-up once the event is over :)

Connection to Weezevent

Weezevent is a payment service provider used by many events in France. A similar bug was exploited by one security professional to get a ticket to GreHack. You can watch the presentation on the exploit here - it’s really entertaining