How I paid my Vehicle e-challans on the AP e-challan website for FREE 🆓😁
Good day ppl! This is Anudeep Vysyaraju, came up with a new write-up on How I paid my vehicle e-challans on the AP e-challan website for FREE.
Let's get started…
Few lines about e-challan…
E-challans, also known as electronic challans, are the most recent and sophisticated method of issuing traffic challans in India for any traffic violations. If you received an e-challan, you must pay the fine online. By utilizing cameras that are mounted on traffic lights, e-challans are given by the police.
Let’s re-create the scenario!!
One fine day I was stopped by the Police and they asked me license, some documents & etc. I showed them all but they’re not satisfied with it. Finally a P-Guy 👮️ came to me and checked for pending challans on my vehicle and it was my bad luck I had 2 pending challans. So he asked me to pay and I asked him to excuse me this time because I don’t have a mobile with me. So P-Guy 👮♂️ asked me to clear them at any cost!!
“After some time I visited the website and came to know that something was unlogical on the website 😁😈😉”
This is how my hunt started on this website for vulnerabilities😈😈
Let’s move into the hack!!!!
After visiting the website on mobile, I came to know that the website was developed in a very poor manner so I just opened my laptop and turned on the BURP, after setting up the Laptop I just saw the workflow of the website and after some time I came to know that AP e-challan has respective Android and iOS Apps.
So I felt that I had some more scope to get vulnerabilities or bugs. So started the Android app in my Android emulator and tried everything in my checklist and got a few little bugs 😁😁 but I’m looking for something big and left the Android applications and website for a few hours.
After that, I wanted to pay the challans so again opened the laptop and saw something suspicious in redirections. So I turned on BURP 🔎
I’ve opened the website and entered the vehicle number and captcha.
Now I have some pending challan to pay as a fine.
Now I tap on the Pay Now button and it asks me to enter some basic details.
After entering the basic details, Again I tapped on the Pay Now button and this time website redirected me to the Payment Gateway page.
Now I turned on the intercept in Burpsuite and cancelled the payment by tapping on the cross at Razorpay Payment Window. After seeing the multiple requests and responses on the website. I’ve observed something different request so I tried to do something on that request particularly.
As you all can observe the GET method was calling and it was called “GET/Searchchallan/failpayment” so here I want to try changing the parameters “failpayment” to some other parameters.
After multiple attempts, I’ve changed “failpayment” to “successpayment”
Now I tapped on the forward button in the BURP intercept tab,,,,,,,,,,,,,
Boooooommmmmm, I was shocked to see that Success message on the screen 🥳🎉🥳🎉
But happiness doesn’t exist more time because it's just an HTML edit!! 😔☹️😖
I closed the laptop and went out for a break, again I opened the website and searched for the same vehicle number. Surprisingly the website threw a message that “No Pending challans” 🥳🥳🥳🥳
Again I searched the same number on the app and found out that the challan was paid and it’s showing in paid challans!! 🥳🎉
PS: The Bug has already been reported to AP Police but they haven’t responded to me in a good way and the “P-Guys👮♂️” were unhappy with my submission & reports. Also, the write-up was shared because that concerned website was down!! 😉😅
This write-up is shared for Knowledge transfer purposes only.
Also special thanks to Mayur Parmar, Hemant Patidar, Tarun Tandon, and Pavan Kumar Chinta
Hope you enjoyed this write-up and gained something good. Visit my profile for doubts and guidance ping me on LinkedIn.
Also, you guys can follow me on Medium
Thanks and Byee… Happy hacking and Let’s hack together👨💻😈
