I was sitting in yet another painful DevOps class - the kind where phrases like “pipelines” and “infrastructure” get thrown around so aggressively that your brain starts to dissociate. I needed something, anything, to keep myself from falling asleep.

That’s when I stumbled upon Jashn-e-Rekhta - a massive 3-day Urdu/Hindi literary festival featuring names like Kailash Kher and Javed Akhtar. The kind of event you hear about and immediately know you have to be there.

The problem? Concert passes were priced at INR 1499. And as a student running on hostel food and borrowed Wi-Fi, that wasn’t happening. But the security engineer in me had a different question: how well does their payment system actually work?

Reconnaissance

I fired up Burp Suite, configured my browser’s proxy, and started mapping the application. The first thing I always do when testing an e-commerce or ticketing flow is trace the entire purchase lifecycle - from item selection to payment confirmation. You’d be surprised how many applications have their most critical logic flaws sitting right in the checkout pipeline.

The Rekhta ticketing site had a fairly standard flow:

1. Select your ticket tier
2. Fill in personal details (name, phone, email)
3. Hit “Pay” - which triggers a payment gateway

I watched the HTTP traffic as I walked through the flow. Most of the requests were unremarkable - static assets, session tokens, the usual noise. But one request caught my attention.

The Vulnerability

When you clicked the payment button, the frontend fired a POST request to an endpoint:

POST /api/createorder

The request body looked something like this:

{
  "name": "Aadhil Anwar",
  "phone": "+91XXXXXXXXXX",
  "email": "xxxxx@gmail.com",
  "ticketType": "concert",
  "amount": 1499
}

That amount field. Sitting right there in the request body. Client-controlled. Unsigned. Unvalidated.

This is what’s known as a parameter tampering vulnerability - specifically, a price manipulation flaw. The architecture assumed that whatever the frontend sent was gospel truth. There was no server-side validation cross-referencing the amount against the actual ticket price in the database. The backend was blindly trusting the client.

Now, any developer reading this might think: “Surely the payment gateway would catch this?” Here’s the thing - payment gateways like Razorpay process whatever amount they receive in the order creation call. They don’t know or care what the “correct” price is. That’s the merchant’s responsibility. If the merchant’s backend says “create an order for INR 2,” Razorpay creates an order for INR 2. The trust boundary was broken at the application layer, not the gateway layer.

The Exploit

I intercepted the request in Burp Suite’s Intercept tab, modified the amount parameter:

{
  "name": "Aadhil Anwar",
  "phone": "+91XXXXXXXXXX",
  "email": "xxxxx@gmail.com",
  "ticketType": "concert",
  "amount": 2
}

Forwarded the request. The server accepted it without flinching and returned a valid Razorpay order object with amount: 200 (Razorpay uses paise, so INR 2 = 200 paise). A UPI payment request for INR 2 popped up on my phone.

I paid it.

And just like that - I had a confirmed ticket to Jashn-e-Rekhta.

The payment confirmation email came through within seconds. The pass was delivered to my WhatsApp and email. A fully valid concert ticket, for the price of a candy bar.

Why This Matters

This isn’t just a “fun hack.” This is a textbook case of a broken trust boundary between the client and the server.

The root cause: The backend used the amount value from the frontend request to create the payment order, instead of looking up the actual ticket price from its own database. The server essentially said, “Whatever the user says they owe, that’s what they owe.”

In a properly designed system, the flow should look like this:

Frontend sends: { ticketType: "concert" }
Backend looks up: concert → INR 1499
Backend creates order: amount = 1499 (from DB, not from client)

The client should never have authority over pricing. The only thing the frontend should send is a ticket identifier - the backend should resolve everything else. The amount field in the request body should have never existed.

The impact was significant - any attacker could purchase tickets at any arbitrary price (including INR 0 if the gateway allowed it), effectively bypassing the entire payment system. For a festival of this scale, the potential revenue loss could have been massive.

The Fix

A proper remediation for this class of vulnerability involves:

1. Server-side price resolution - the backend should map ticket types to prices using its own data store, never accepting price from the client
2. Order integrity verification - before processing payment confirmation, verify the paid amount matches the expected amount
3. Signed payloads - use HMAC signatures on order parameters so tampering is detectable
4. Post-payment reconciliation - compare the amount received (from payment gateway webhook) against the expected amount before issuing the ticket

Did I Go to the Concert?

No. I didn’t.

Let’s just say the thrill of the hack was enough for me.

This vulnerability was responsibly reported to the Rekhta team and has been patched. No tickets were used, no financial damage was caused. Always hack responsibly.

I was going through my student inbox at LPU when an email marked Urgent caught my eye. Sent from what appeared to be a legitimate LPU email address, warning that inactive accounts would be “permanently closed” and urging immediate login through a link.

Standard phishing playbook. But the sender wasn’t a random Gmail or spoofed domain. It was sent from an actual LPU email address - an account that had already been compromised and was being weaponized to phish others from inside the trust boundary. LPU email addresses pass SPF, DKIM, and DMARC. They don’t get flagged. Students trust them by default.

The Phish

Pulled the email headers, extracted the link. A near-pixel-perfect clone of the Microsoft Outlook login portal.

One mistake: the page was in French. “Se connecter,” “Suivant,” “Besoin d’aide?” - the kit wasn’t localized for the target.

The form’s action didn’t POST to Microsoft. It posted to an attacker-controlled backend.

The C2

Traced the exfiltration flow. Credentials were being piped into a Telegram bot. The bot token and chat ID were embedded in the page’s JavaScript. Plaintext. No obfuscation.

var token = "7XXXXXXXXX:AAHXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
var chat_id = "XXXXXXXXXX";

Queried the bot’s message history via Telegram Bot API:

https://api.telegram.org/bot<token>/getUpdates

Full database of stolen credentials came back.

• Hundreds of compromised LPU accounts - students and staff
• Login attempts from multiple geographic locations
• Compromised accounts already being used to send more phishing emails - self-propagating chain
• Credentials from far beyond LPU sitting in the same C2 channel - the French Ministry of National Education (education.gouv.fr), major French electronics retailers, other .edu institutions, and multiple South Asian universities

The forwarding metadata tagged an account named “adamo”. The French login page, the French government and retail credentials in the same bot, the sheer spread of targets - this wasn’t just an attack on LPU. It was a multi-target, multi-country operation, and LPU was one node in a much larger campaign.

The Attack Chain

1. Attacker compromises initial LPU email account
2. Uses it to phish all contacts from a trusted address
3. Victim enters credentials on cloned Outlook page
4. Credentials exfiltrated to Telegram bot in real time
5. New credentials used to compromise more accounts
6. Self-propagating loop

The Response

I reported the findings to every affected domain I could identify from the C2 data - the French ministry, the retailers, the other universities. Most responded and acted on it.

LPU’s dean’s response: “It’s just student data, not staff data.”

Didn’t hear the full issue out. Hundreds of compromised accounts, an active self-propagating chain, credentials from French government ministries and retailers in the same C2 - and the man said “just student data.”

I’m sure the attacker appreciated the extra time.

I was running subdomain enumeration against a university’s root domain when one result stood out:

services.university.edu  [200] [ASP.NET Application]

A bare ASP.NET default page sitting in production. No branding, no login. Just the framework welcome screen - which already tells you the stack, signals a forgotten deployment, and screams “dig deeper.”

Hostnames and endpoints in this post have been changed.

I hit it with a targeted wordlist for ASP.NET-specific paths - /swagger, /api, /Help, /odata - and /Help came back 200.

It was a fully exposed API documentation page auto-generated by ASP.NET’s Web API Help Page. Every endpoint, every HTTP method, every parameter - all laid out in production.

Most endpoints had proper auth. But a cluster under /api/Media/ didn’t:

GET    /api/Media/GetPressRelease
GET    /api/Media/GetPressRelease/{id}
POST   /api/Media/AddPressRelease
PUT    /api/Media/UpdatePressRelease/{id}
DELETE /api/Media/DeletePressReleaseById/{id}

Full CRUD on the university’s official press releases. The content that goes on the homepage, gets picked up by media, gets shared across channels.

The Exploit

First, I pulled existing press releases:

curl -s https://services.university.edu/api/Media/GetPressRelease | jq '.[0]'

No auth token. No API key. No session. Raw response with live data and internal IDs.

Then I sent a DELETE with one of those IDs:

GET https://services.university.edu/api/Media/DeletePressReleaseById/5219

[
  {
    "$id": "1",
    "Status": 1,
    "Message": "Delete Successfully !"
  }
]

I figured it was a false positive - maybe the API just returns success regardless. So I sent a follow-up GET for the same ID.

404 Not Found.

Checked the university’s actual website. The news item was gone from the public feed.

One unauthenticated HTTP request deleted an official university press release from production.

The POST and PUT endpoints were equally exposed. I verified by creating a test entry (immediately removed it). Zero authentication on any write operation.

The Impact

Any person on the internet could:

• Create fake press releases - “Final exams cancelled,” “Tuition fees refunded,” politically motivated statements
• Modify existing ones - alter facts, inject misinformation, change quotes
• Delete real announcements - suppress official communications

For an institution with thousands of students, faculty, and media monitoring its channels, this is full compromise of the communication pipeline. The attack surface is a single curl command. Automating mass manipulation of the entire news feed would take minutes.

Root Cause

Multiple failures stacking:

Broken Access Control (OWASP A01:2021) - Write endpoints had zero auth checks. The server processed any request from any origin.

API Documentation in Production - The /Help endpoint gave attackers a full map of every endpoint and parameter. Blind enumeration turned into targeted exploitation.

No Network Segmentation - An internal CMS backend service was directly reachable from the public internet with no API gateway, no IP whitelist, no VPN.

Forgotten Infrastructure - The default ASP.NET landing page says it all. This was deployed, wired to the production database, and abandoned. Nobody was watching.

CVSS 9.6 (Critical)

Network-accessible, no authentication, full integrity impact on a public-facing communication channel. Availability impact is maximum - an attacker can wipe the entire news archive.

Reported and patched.