Buying Rekhta Tickets worth INR 1499 for freeee!!

I was sitting in yet another painful and dull DevOps class, the kind where phrases like ‘pipelines’ and ‘infrastructure’ get thrown around so much that your brain starts tuning out completely. I needed something to keep myself awake, and that’s when I came across Jashn-e-Rekhta — a 3-day Urdu/Hindi festival featuring big names like Kailash Kher and Javed Akhtar. It sounded incredible, and I immediately wanted to go.

The problem? Concert tickets aren’t cheap, and as a student, my budget was practically nonexistent. But then it hit me — why not see if I could find a way around the system? It wouldn’t be the first time I’d tried tweaking things for fun.

I opened up Burp Suite and started exploring the festival’s website. After a bit of digging, I found something interesting: an API endpoint called api/createorder. That alone was enough to get me curious.

The site was sending a POST request to this endpoint with some basic details — phone number, email, and a price parameter. Seeing that price parameter awakened me from my sleep. I decided to test the waters and changed the price to something ridiculously low, just to see what would happen. I set it to ₹2, hit send, and waited.

To my surprise, it worked. I got a UPI payment request for ₹2. I paid it, and just like that, I had my ticket.

Now, the big question: how was the concert?

Well… I didn’t go.

Let’s just say the thrill of the hack was enough for me😉

This Vuln has been reported and patched timely by the Rekhta Team.