Challenge 5 – Tickets

Enjoy going to the movies? This page is for booking the show. Unfortunately, there is only one ticket left. All the other tickets were sold offline. Whoever is able to complete the transaction first will get the ticket.

Let us visualize the happy path with the help of a sequence diagram:

That is just the happy path for one user purchasing a ticket. Let us reimagine the same scenario but with two users acting at the same time.

There is only one condition to be met for a user to purchase the ticket - there should be at least one ticket available in the system.

Let us see if the application is performing those checks:

1. Go to the login page

2. Login as any user

3. Navigate to the buy tickets page

4. Click on Buy One Ticket button

5. Observe the message You have 1 ticket(s) message on top of the page

6. Click on Buy One Ticket button again

7. See that nothing happens

8. Logout and login as another user

9. Navigate to the buy tickets page

10. Click on Buy One Ticket button

11. See that user is not able to buy tickets since there are no more tickets left

We need to find a way to purchase two tickets. How can we do that? What if we click on the buy ticket button multiple times very fast? That won’t help cause the page needs to be loaded after each click.

It’s time to slow down TimeGap Theory:

1. On your browser, navigate to the Settings page

2. Change the time delay to 5 seconds

3. Click on the Save button

Now, TimeGap Theory will wait 5 seconds before every database write operation.

Preparation phase

1. Navigate to the Admin page

2. Click on the create default users button

3. Open two browsers side by side (Use private/incognito window if you do not have two browsers)

4. Navigate to the login page on both the browsers

5. On the first browser:

   1. Click on the first user button on top

   2. This will fill the user data for user Tom

   3. Submit the form to log in as Tom

6. On the second browser:

   1. Click on the second user button on top

   2. This will fill the user data for user Jerry

   3. Submit the form to log in as Jerry

Alright, the preparation is done. Here comes the exploitation phase.

Exploitation phase

1. On both the browsers:

   1. Navigate to the buy tickets page

   2. Click on the Buy One Ticket button

Let us see how that turns out.

Post-exploitation phase

1. Let us wait for both the browsers to complete the request

2. You can see that both the users have one ticket on their account

3. If you check your scores, you will see that you have got 100 points for completing the buy tickets challenge.

4. Don't forget to change the delay to 0 on the settings page.

Automation

As always, we need a way to automate this.

Pro-tip - you can skip this in real life if the webmaster is your friend and is ready to slow down the server for you.

First, we need a valid fetch request:

1. Open your browser (Chrome or Firefox)

2. Navigate to TimeGap Theory > Webapp > Login

3. Click on the first user button. This will load the user data for Tom

4. Click on the Sign in button

5. Navigate to the buy tickets page

6. Open up dev tools by pressing F12 on the browser

   1. On Windows, you can use Ctrl + Shift + I

   2. On Mac, you can use Cmd + Shift + I

7. Click on the Buy one ticket button

8. On the browser dev tools, click on the Network tab

9. Right click on the buy-ticket.php request

10. Click on Copy > Copy as fetch

Paste that on the Console tab of the browser dev tools. You will get something like the following:

Based on how playful your browser is, you may see a slightly long fetch request. Feel free to trim it down to the bare minimum version shown above.

Now we have a request.

And we need two requests.

It can be done by copy-pasting the fetch request without pressing the Enter key. However, it’s a good practice to separate each request with a comma. Let us do that

Before running this new command, we need to clear the slate. It involves three simple steps:

1. Ensure that there is no delay

   1. Go to TimeGap Theory > Settings

   2. Ensure that the delay is set to 0

2. Reset database and create users

   1. Go to TimeGap Theory > Admin

   2. Click on reset database button

   3. Go back to TimeGap Theory > Admin

   4. Click on create default users button

3. Clear the current score

   1. Go to TimeGap Theory > Score

   2. Click on the Clear button

Alright, our slate is clear. Let us execute the attack now:

1. Navigate to the Login page

2. Click on the first user button on top. This will fill the user data for user Tom

3. Click on the Sign In button

4. Enter the combined fetch request on the Console tab of browser dev tools

5. Press the Enter key

6. Refresh the page

7. You will see that our attack attempt is unsuccessful.

What happened?

Two things went wrong:

1. The Buy Tickets page of TimeGap Theory is authenticated. We need to supply the cookie as well in order for this request to be successful

2. Since an authenticated session is involved, webapp is treating the executing requests one by one when it is from the same session

We need to solve both these problems for the automation to be successful.

Problem 1 - Cookie

Fetch request does not support sending cookies. We need an alternate solution. cURL supports sending cookies. We can use that.

Problem 2 - Only one request per session

This can be solved by creating two sessions for the same user. How can we do that?

1. We will sign into Tom’s account on the first browser.

2. We will sign into Jerry’s account on the second browser.

This way we will get two separate active sessions.

Now, we need valid cURL requests with session tokens in it.

Let us obtain the first one:

1. Open your browser ( Chrome or Firefox)

2. Navigate to TimeGap Theory > Webapp > Login

3. Click on the first user button. This will load the user data for Tom

4. Click on the Sign in button

5. Navigate to the Buy Tickets page

6. Open up dev tools by pressing F12 on the browser

   1. On Windows, you can use Ctrl + Shift + I

   2. On Mac, you can use Cmd + Shift + I

7. Click on the Buy One Ticket button.

8. On the browser dev tools, click on the Network tab

9. Right-click on the buy-tickets.php request.

10. Click on Copy > Copy as cURL

For getting the second one:

1. Open another browser ( Chrome or Firefox)

2. Navigate to TimeGap Theory > Webapp > Login

3. Click on the second user button. This will load the user data for Jerry

4. Click on the Sign in button

5. Navigate to the Buy Tickets page

6. Open up dev tools by pressing F12 on the browser

   1. On Windows, you can use Ctrl + Shift + I

   2. On Mac, you can use Cmd + Shift + I

7. Click on the Buy One Ticket button

8. On the browser dev tools, click on the Network tab

9. Right click on the buy-tickets.php request.

10. Click on Copy > Copy as cURL

Now that we have both the requests. Let us run them in parallel. Before doing that, we need to clear all the previous purchases of tickets. This can be done by reloading the create-users.php page located at TimeGapTheory > Webapp > Admin > Create Users.

Once you have reloaded the create-users.php page, follow the steps below:

1. Open your command prompt/Terminal window

2. If you are on Windows 5

   1. Type start /b

   2. Put a space

3. Enter the first cURL request

4. Put a space

5. Enter the ampersand symbol (&) 6

6. Put a space again

7. If you are on Windows

   1. Type start /b

   2. Put a space

8. Enter the second cURL request

9. If you are on Windows

   1. Remove the following parameter from both the requests “--compress”. Some versions of cURL do not support this feature.

10. Now, press the Enter/Return key

Let us see if we are successful or not:

1. Go to the first browser window

2. Refresh the Buy Tickets page

3. Note the message on the top that says You have 1 ticket(s)

4. Go to the second browser window

5. Refresh the Buy Tickets page

6. Note the message on the top that says You have 1 ticket(s)

7. Check if you got points for completing the Buy Tickets challenge

What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:

1. A legitimate user may show up for the show and realize that another user also got the same ticket

2. Business would end up having unhappy customers, giving compensations etc.

Let us review what we did:

1. The buy tickets page checks the stock of the tickets before allowing the user to book it

2. You analyzed this behavior by trying to purchase two tickets

3. First, you slowed down the system and bypassed the business logic

4. Then you tried bypassing the business logic using fetch requests on browser dev tools and failed

5. You learned that fetch requests are not useful while trying to send cookies to the server

6. You moved onto cURL as it supports sending cookies and you were able to purchase one ticket each for two users.

7. Now you know how TOC/TOU security issues can affect buy tickets pages