IDOR to information disclosure + Admin Account Takeover
I am Aditya Shende (Kong) from India. Bounty Hunter , Biker and Researcher.
This is my 3rd article , If you found any spell error. Let it be…..
What is IDOR ?
Entity names are used to identify application-controlled resources that are supplied in URLs or request parameters in a Direct Object Reference web application design method.
Lets get started…..
As normal user I tested all function including update, delete, download, make post public and private etc . Found many bugs but this one is interesting as I think . Viewing profile function was my first shot and POST parameters are second . Endpoint : POST /Profile . See the screenshot below
So basically it was disclosing enough information , I tried for my self . Now playing with username parameter was good shot where I put another username number got his information including home address , role, number , access level etc.
On profile section reset password function was there so evil mind comes up
If I know _id of any user then I can reset his/her password. I tried the same what I thought and it was working fine , So how I did it. POST request containing _id and password , I replace my id to another user encrypted id and forwarded request
After passing this request , Response was 200 OK and all we know JSON context params have default responses like : true , verified , error, success etc. Mine one came up with “true”
So I tried to access that user account with user username and password which I set and it was working and leads to ATO of admin. I have multiple privileges that normal user cant access
And again I got multiple different functions to test . On that site I found more than 20 vulnerabilities.
Thanks for reading , Jai hind