Hi Guys,

Back with one more interesting blog explaining How I was able to find multiple vulnerabilities in India’s largest online movie booking portal — Bookmyshow. :)

Till now in my bugbounty hunting, I have realized one thing that companies which don’t have their bug bounty program are more reluctant to accept any kind of medium severity issues until and unless vulnerabilities are highly impactful and critical and the same happened here. Let’s see what was the complete thing —

So the first vulnerability that I managed to found was Host Header Attack, I was able to change the host header value to any malicious site and able to redirect. Further, I was also able to poisoned Web Cache. Now whenever user visit bookmyshow.com, he was getting redirected to the given malicious or phishing site. Below is the POC for it-

Host Header Attack — Original Page

Above is the original request and it was vulnerable to Host Header attack. Here, I will change it it to goal.com and it can be observed in the below screenshot that in response there is 301 redirection and location to which application is redirecting depends upon the value of Host header in request-

Host Header Attack — Changed host header value

And I was able to successfully got the redirection to the given input site goal.com —

Host Header Attack — Successful redirection

And it was also leading to Web Cache Poisoning as this value was not getting validated on the server and so the user was getting redirected to the given malicious site whenever user tries to access bookmyshow.com . But there was a problem with this, the web cache was getting flushed very quickly and hence web cache poisoning was not persistent and effective and it also didn't get expected attention of bookmyshow security team. :) So, I resumed my hunt in search of some good bug and there comes this —

How I was able to get complete access to anyone’s owned “experience” !!

Bookmyshow has the functionality by which a logged-in user can share their experiences.

User Experience page

Every experience has an ID associated it. The URL looks like-

https://in.bookmyshow.com/national-capital-region-ncr/experiences/{Username}/test-hacked/5ab1284834e4ab0065ade267

and also every user can see any user’s experience ID by just seeing/reading their experiences so there was no bruteforcing or other techniques required to get the experience id of other users. The exploit was simple , I just modified the link a little and add a parameter “create” (which I got by creating my own experience ) —

https://in.bookmyshow.com/national-capital-region-ncr/experiences/create/{victim experience id}

and here you go,by accessing the above URL , I got the complete control/access over someone else experiences, I could edit the name, upload any image , write any description etc!!!