Business logic security bugs
A very long time ago, in the year 2004, there was an airline in India named Deccan Airlines. It was India’s first no-frills airline. They had a good sense of humor. At the check-in counter, they had a banner
You will never complain about your coffee. We don’t serve any.
Anyways, back to the topic. I have this bad habit of viewing HTML source code whenever I am feeling bored or I am just curious. Sometimes, when I am really bored or very curious, I open the developer tools tab of the browser to look at the traffic exchange between the page and the server. One fine day I was booking a ticket on their website and had my developer tab open (or a plugin, I think those days browsers didn’t have embedded developer tools). As I started booking, I noticed something interesting. I saw a field named PNR being passed around. If you don’t know what a PNR is, it is basically a booking reference number which is typically generated when a booking has been made. It stands for Person Name Record. What was interesting is that I haven’t even made the payment and yet, I saw this field being passed around as an HTTP form hidden field. That got me excited. But it was short-lived excitement. I opened a new tab and checked the PNR status. It wasn’t found. Bummer. Most likely, they were creating the PNR when you start the booking but don’t mark it as active unless payment has been made. I found the implementation very peculiar.
A long-time passed by. And then, one day I saw this huge print ad by the airline. The promotion was basically like this - if your PNR ends with 00 you will only pay ₹100 and if it ends with 50, you will pay only ₹50!
And there was it. The business logic security bug. All you had to do is basically start a bunch of booking sessions (in a
for loop) and you are bound to find a suitable PNR. Once you have found the PNR, just go ahead and pay for it.
Needless to say, the marketing team of the airline wasn’t aware that PNR value is automatically generated even before the payment has been made.