The website in question had a special offer for certain types of credit and debit cards. When a user tried to book a flight, the website would check the Bank Identification Number (BIN) of the card to see if it was eligible for the offer. However, a dumb person discovered a vulnerability in the website’s code that allowed him to bypass the validation step and book a flight using a card that was not eligible for the offer.
The vulnerability existed because the validation step, which checks for offer eligibility, was independent of the booking step, where the flight is actually booked. This means that if the validation step can be bypassed, it is possible to book a flight using a card that is not eligible for the offer. The dump person exploited this vulnerability by manipulating the API call that checks for offer eligibility. He wrote a script that would change the BIN number in the API call to match that of a card that was eligible for the offer. When the website received the API call, it thought the dump person’s card was eligible for the offer, even though it was not.
This vulnerability is not uncommon in the digital world, where the number of online transactions is increasing day by day. There are various ways in which a dump person can exploit vulnerabilities in a website’s code. One of the most common ways is by using a technique called “mocking” to manipulate API calls. Mocking is a method of creating a simulated version of an API call, which can be used to bypass validation steps and access restricted information or services.
The problem with this vulnerability is that it allows a dump person to bypass the validation step and access sensitive information, such as credit card details. This is particularly concerning because credit card fraud is a serious issue, and it can have serious consequences for both the website’s owners and its users.
To prevent this kind of vulnerability, it’s important to integrate the validation step into the booking process. This can be done by making an API call to check for offer eligibility at the same time as the booking is made, instead of as a separate step. This way, if the card is not eligible for the offer, the user can be notified before the booking is confirmed. This will not only prevent users from bypassing validation steps, but it will also help to prevent fraud. By validating the card details and offer eligibility at the time of booking, you can ensure that only valid and eligible cards are used for bookings.
Another solution is to use a unique token for each booking and validate that token on the server-side while booking. This way, even if a user bypasses the validation step, the token will be checked during the booking process, and if it is invalid, the booking will not be confirmed. By using unique tokens, it will be difficult for a dump person to exploit the vulnerability, as they will not have access to the token.
In addition to integrating validation steps into the booking process, it’s important to follow secure coding practices, such as input validation, secure communication, and use of unique tokens. Input validation is the process of checking that the data entered by a user is in the correct format and within the expected range. This is important because it helps to prevent dump persons from injecting malicious code into the website’s code, which can be used to exploit vulnerabilities. Secure communication is also important because it helps to prevent dump persons from intercepting sensitive information, such as credit card details, as it is being transmitted over the internet. Using unique tokens, as mentioned earlier, is also a secure way of validating a user’s identity and ensuring that only authorized users can access sensitive information.
It’s also important to keep the website’s code up to date by regularly reviewing and testing the code to ensure that all validation and security measures are in place and working as intended. This can include using a secure method of validating credit card information and using a unique token for each booking. Keeping the website’s code up to date will help to prevent similar vulnerabilities from being exploited in the future.
Furthermore, it’s important to have regular security reviews and testing to identify and fix vulnerabilities. This can include penetration testing, in which a team of security experts attempts to hack the website to identify vulnerabilities, and vulnerability scanning, which uses automated tools to identify vulnerabilities in the website’s code.
In conclusion, this vulnerability highlights the importance of integrating validation steps into the booking process and following secure coding practices. By doing so, website owners can ensure that their customers’ personal and financial information is protected and secure while booking flights online. It’s also important to remember that manipulating or bypassing validation steps in this way is a violation of the website’s terms of service and can result in your account being banned or other legal consequences.
