Hi there 👋

Disclaimer This blog post is shared for educational and academic purposes only. All issues described here were responsibly reported to the affected company and have since been fixed and verified. Permission to publish was granted by the company. The intention of this write-up is to raise awareness, improve security practices, and share lessons learned with the community. Act I — The Setup It all started on a lazy evening in April. I wasn’t trying to hack anything major, just poking around a movie ticketing site which I’m client of with DevTools open. As I added a ticket to my cart, something odd caught my eye: a POST request carrying a mysterious parameter named encInfo. ...