#Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$

2 min readSep 22, 2020


Let me thank all the bug bounty hunters over there who are creating great content and inspiring a lot of people like me.

Thank You, community folks, @akhilreni_hs @stokfredik @hakluke @farah_hawa01 @dhakal_ananda @adityashende17 @bugcrowd @rakesh_3895

Hi Guys,

Myself Ganesh, I am a security analyst at WesecureApp and a part-time bug bounty hunter. I recently got an invite for a Travel application.

The application allows users to make a booking at hotels /Flights so upon users filling up necessary information they will be redirected to the Payment Gateway there are couple options for the user to complete payment. I have selected the Credit card option and captured the request using a burp proxy.


And I have observed the application is making redirection to “*redacted.com”. I tried changing all values in the request body parameters out of curiosity I tried brute-forcing at “req_reference_number” and was able to list out other users payments.

Lucky me :)

I was able to view other user’s sensitive information such as social security number, Passport Number, Name, Valid Ticket ID’s.

Though, it’s a P1 issue team has listed it out as P2 :)

Thanks for reading my blog :)

Twitter : ganiganeshss79