Iron travel network 1 yuan to buy a ticket

The vulnerability occurs on the android client of Yilong. All data on the Yilong Android client is transmitted in plaintext, including the login name and password. No problem is found during the test of hotel reservation because the server verifies the amount, however, if you buy a ticket, you will find a problem. First, select a date flight on the client. Figure 1 shows that the total amount is 1100, and there are three parts: air ticket, machine building, and fuel. Then, supplement the order information and confirm the order. 2. Figure 2 focuses on this. Click Submit order below to intercept data packets through burpsuite. We can find that the data is only url encoded. 3. After URL Decoding, figure 4 can be found, sensitive information is transmitted in plain text. Then, we can change the price value to 1 (air ticket price). The OilTax value is 0 (fuel). airtax is 0 (machine-created ), then change the total totalprice to 1, and then submit the data packet so that we can use 1 yuan to buy the ticket, and then jump to Figure 5 5 here because of packet capture and modification of the data transmitted to the server, therefore, the client displays the original price, but the order data on the server has been modified. You can view the order on the website, as shown in Figure 6 and 6.

Figure 7 the payment process does not continue. Since the order amount of the server has been modified, the payment is based on the service amount...Solution:Encrypts the data transmitted by the client and verifies the order amount on the server.