India’s 2nd Largest Travel Agency Benefits from Defencely’s Incidence Handling

India’s 2nd Largest Travel Agency Benefits from Defencely’s Incidence Handling

This might not be a fairy tale of an incident handling case where the cyber security experts @Defencely were able to crack open something in a minute and expose the flaw. But in such cases, to save India’s 2nd largest travel agency – a brief active incident handlers were required to slam out the existing flaw and hence save financial data at stake.

Incident Handling – The Case

Defencely received an urgent mail that one of our client’s security had been compromised internally and the execution server which were compromised seemed to have a promotion coupon handler which takes care of the discounted values. Being an online second largest travel agency – the flaw in itself was newly integrated into the systems not long before and the module wasn’t tested for proactive security and in due course had given flattened economy to the company.


A client side JavaScript functionality was used in order to validate the tokens, values, etc but the attacker managed to break it’s security recently after integration of the module. On before implementation of this new module – the sysadmins weren’t aware of a shell access backdoor from the past which led to worsening the fact that even if the module was segregated – the attacker was able to change the values directly at the database tier level and hence provide beneficiary discount for himself often leading to price value as below as zero.

This was a huge mercenary hack for the travel agency which provided airlines, railways, and hotel booking services with discounted values at intervals and this open threat was brought to attention of Defencely at the right time span to close out each and every loophole and add value to the client.


Handling Client Side Validation

When we talk of security, there are almost most transparent imminent flaws which developers keep missing with new technologies coming in and one of these technologies is JavaScript. When used the right way, JavaScript can provide efficient, seamless load balancing tasks and good security for validation but if JavaScript is poorly written without having it’s unit testing done at the application security level – the threats could later exist which might need plenty of homework to do for the security experts.

Fig.1: Tampering SOAP Responses

Fig.2: Discounted Value with eCash

The technical flaw here was a methodological attempt to get discounted value for the offers which were active. For this an attacker should have a registered account with the agency and was required to tamper the values in the SOAP responses. The handler of the SOAP responses was an independent internal system which was fed with the task of validation. Here’s the working of the ‘hack’ with client side validation:

  1. An attacker registers himself an account with traveler agency providing booking services.
  2. The attacker next chooses an offer value from the agency and uses a discounted coupon.
  3. An attacker having chosen a PROMO CODE is liable to only deduction of a %tage of total.
  4. However, when an attacker is in the promotion code application form, he tampers the data.
  5. The attackers changes the value to an amount he prefers suitable and increases value of eCash.
  6. eCash is a virtual cash for the travel agency which can be used later to book relative services.
  7. For the first time, the attacker pays the right amount and having changed the eCash, he is given the amount.
  8. The next time, an attacker having the tampered value could be used without involvement of payment gateway.

And in this way..

  • The dependency of the payment gateway is bypassed.
  • The threshold for eCash value can be as high as the attacker wanted it to be.
  • The client side validation for the promo code is bypassed without needing validation from payment gateway.

Defencely web application security experts were able to detect the flaw in-time and were subsequently contact to keep an update on the table whilst we created a brief Incident handling report for the client to remediate it’s weakest chain in the security link to fix the client side vulnerability which were being reflected back to the server side storage of the same values that were tampered with.

Handling Server Side cleansing

Logs proved that there were still traces of attacks from internal servers where an attacker had an old access to a shell which was put into that particular server years before. Being able to access a remote shell could be sometimes a ghostly attempt or sometimes be very easily detectable. This however wasn’t the normal case where the shell access had any interactive features such as C99, or R57 webshells. It was a shell which could interact directly with the databases. For those of you wondering, admineris such a single php database access example.

The internal logs previously made us clear about the situation that an attacker was randomly scanning the hosts without any targeted attempt and might had discovered a backdoor from the previously compromised attempts.

Fig.3: Internal server logs shows random file browsing and traces of automated break-in

At this point, Defencely’s network security team appeared to rescue proceeding with log file audits and prevention framework deployment for handling such cases. Because current security policies had a weakening hole all along, the team chose to go with long time commitment for deploying network security services to India’s second largest travel agency for a better security positioning among it’s competitors. The incident proved the following:

  1. Lack of Network Security can conclude application level threats.
  2. Closure of network security policies and server hardening can be a long-term benefit.
  3. Application security can be benefited from at the limited scope without network security.
  4. System administrators should be proactively security trained to handle incidents when they occur.

An Eye-Opener

Such threats like the one above could be silently escalated to compromise an entire range of network to cause a disaster which can be of financial impact. Because every businesses would keep their data warehouse of financial assets internally segregated, the same doesn’t assure any security if being served externally with a part of systems exposed at Internet front-fore with web-services, etc ..and hence can cause an security incident.

Risk Assessments are a great way, but Risk Treatment is an essential ingredient to neutralize risks when they occur. To relatively perform security audits and perform monthly assessments in order to actively defend new threats, the internal development team @travel agencies we are currently positioned with has made efforts to close out threats in coordination with Defencely’s security experts.

I hope this eye-opener incident will make a difference and industrial experts will actively take efficient steps to make security as stronger as it needs to be and tightened to regulate smooth businesses run at a frequent run-levels with patches being applied and ‘security’ taken as an core fundamental element while development is in process – or otherwise the fate of any application or network appliances are left to unpatched vulnerabilities and at the discretion of insecure deployment in its first stages of product release commitment. Our security model for each one is concise and appropriate security solutions are enterprise ready. Feel free to connect back and reach us for any help required with security concerns for your web applications, network infrastructure or enterprise 360 degree security.

Author Bio

Shritam Bhowmick is a web application penetration tester professionally equipped with traditional application security testing as well as professional security management leading to team of expertiseand adding active value to Defencely Cloud Security Pvt. Ltd. He currently holds Technical Expertise at web application threat reporting and coordination for Defencely Cloud Security Pvt. Ltd.’s clients.

At his belt of accomplishments, he has experience in identifying critical web application vulnerabilities and add value to Defencely with his research work and developing the R&D team. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time.

Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Test Engagements for key Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s