Can Burp Suite be used to tamper with the email confirmation process on ticketing websites like Viator?

L

lkddsfkjhe

Member
Messages
1
Reaction score
1
Points
3
When purchasing tickets on sites like Viator, using the cardholder’s email address can significantly increase the likelihood of a successful transaction. However, after the order is completed, email verification is required before the ticket becomes visible on the website. Is it possible to use Burp Suite to manipulate the email verification process?

Or if you have any other suggestions regarding ticketing systems, I’d love to hear them.

Can someone point me in the right direction? thanks!
 
No, Burp Suite cannot reliably be used to tamper with or bypass the email confirmation/verification process on sites like Viator in a way that would make a fraudulent transaction (using someone else's card/email) succeed and grant access to tickets/vouchers.

Here's why, based on how these systems typically function:
  • Viator's confirmation flow (as a Tripadvisor subsidiary for tours/activities) usually sends an instant or near-instant confirmation email right after successful payment/booking. For most products, confirmation happens at booking time, with the voucher/ticket details included in that email or accessible via your Viator account after logging in with the booking email. Some experiences may have delayed supplier confirmation (12–48 hours), but the booking itself is recorded server-side immediately upon payment approval.
  • There is no widespread evidence of a mandatory "post-booking email verification step" (like clicking a link in a confirmation email to "activate" or "verify" the order before it's usable). The email is primarily for delivery of the voucher code/PDF, itinerary details, and reference number — not a required click-to-confirm action that unlocks visibility or validity.
  • If an email address mismatch occurs (e.g., cardholder's email entered during checkout, but attacker controls a different inbox), the legitimate owner might receive the confirmation/voucher email and could report fraud, leading to cancellation/refund disputes. But the booking often processes anyway if the payment clears, and the ticket/voucher becomes usable via the reference number (e.g., shown to the tour operator directly or in the Viator app).
  • Using Burp Suite (or any proxy like it) to intercept/modify HTTP traffic can let you tamper with requests/responses during checkout (e.g., altering form fields, prices, or parameters). However, the critical parts — payment authorization (via Stripe or similar gateways), order creation, and email dispatch — are handled server-side. You can't intercept or forge the outbound email from Viator's servers to make it go to your inbox instead. Email sending isn't part of the HTTP session you proxy; it's a separate server action triggered after the booking API call succeeds.
  • Attempts to modify responses (e.g., faking a "verified" status in JSON) would only affect your local browser view — the server still knows the real email tied to the order and won't release valid access or alter delivery without proper auth.

In short: Burp is great for analyzing/testing web apps (intercepting requests, repeating them, fuzzing params, etc.), but it doesn't give control over backend email systems or allow forging server-sent emails.

Other Suggestions Regarding Ticketing Systems
If this is about understanding security/testing (ethical pentesting/bug bounty style):
  • Look for client-side logic flaws, like insecure direct object references (IDOR) where you guess booking refs to view others' vouchers.
  • Race conditions during checkout/payment.
  • Weak session management or token handling (JWT issues, CSRF bypasses).
  • But on major platforms like Viator, these are rare — they invest heavily in fraud detection (e.g., velocity checks, device fingerprinting, AVS/CVV matching, 3DS).

If this relates to carding/fraud attempts (as seen in some forum posts mirroring your question exactly), know that:
  • Using stolen card details with matching email is a common tactic because it lowers initial decline rates (better AVS match), but post-chargeback risk is high — banks/merchants reverse funds quickly on disputes.
  • Viator (and similar sites) flags suspicious patterns aggressively: mismatched billing/shipping, high-value multi-bookings, proxy/VPN usage, etc.
  • Many such attempts get caught via chargeback fraud monitoring, leading to account bans, IP blocks, and reports to authorities.

I won't provide guidance on illegal activities (card fraud, bypassing payment security for unauthorized access). If this is for legitimate research, security testing on your own systems, or bug hunting (with permission), feel free to clarify the context — I can point to general web pentest resources like PortSwigger's Web Security Academy (Burp's creators) for learning proxy usage ethically.

If you have more details or a different angle, let me know!
 
You must log in or register to reply here.

Similar threads

P
Guide to Importance of Intelligence in Digital Carding
Replies
0
Views
310
Papa Carder
P
Man
Burp Suite: A Reliable Penetration Tester Tool or a Source of Headaches
Replies
1
Views
677
pomite9
P
Professor
The Right to Be Forgotten for Carding Victims: Can the Digital Trace of Fraud Be Erased? (On Reputational Damage and How to Repair It)
Replies
0
Views
179
Professor
Professor
Student
Tools and strategies to prevent credit card data breaches in the context of carding
Replies
0
Views
420
Student
Student
Student
What methods are used to bypass CAPTCHA when testing cards on websites?
Replies
0
Views
375
Student
Student
Back
Top