How i Hacked into someone's account using IDOR vulnerability

The IDOR that paid me well!!!

 

After my first discovery of IDOR ,i got really interested in testing world loads of web application for the same vulnerability and after hunting for few days , i finally got one website that has this critical vulnerability, the loophole that could have compromised any users who have been registered with the website. The website name is Dude i know you want to bang this link . 

So i thought let's check out this team management web application , thinking of finding some medium level bugs like XSS , CSRF. So i started hunting on the site and created two accounts (i will take some time to elaborate), i.e , one account name sam anjan[previous name on facebook] and another will be always be sam victim[making myself the victim on my own attack , ohh!!! wtf dude this self attack...hahahahaha]. Some times when i get frustrated i use to give give two account names like dominos and pizza hurt or mcflurry and coke...something like that , now that's enough to be kidding already , let's get back to security part of the bug.

So indeed i found an account takeover CSRF via user interaction which is no batter than a normal CSRF attack, i would again say that don't take CSRF bug as a low level bug , many exploitations can be done based on the CSRF itself. I will be making another post on special CSRF attack soon 😍😁😆.

I found multi CSRF attack , in few of the functionality modules like add / remove / create, they have added some csrfmiddleware token but again that was not even being evaluated by the server(The LOVE of every hacker). I was like ......oops dev Team!!!!!

Okay , here comes the bounty of all time , guess so those were my lucky days to get those figures in my bank account though 😉. So while going through the site i saw that there is a unmanaged password policy being implemented which actually don't ask current password for changing the new password being set and i was like....Okay......

So going forward , i intercepted the request when changing the password and i saw a "userid=" is being passed in the POST parameters and the next thing on my mind was I.D.O.R , to make it clear that it's user id was in a weak encoded form that can be easily decoded(In the video i never decoded it because i was in much eager to know how much bounty they will pay me 😈). So next thing i did was i went to my second account and in address bar itself it shows something like "/user/<user_id_encoded>/" so now i copied the sam victim's account UID and went to sam anjan account and typed new password to change it while clicking on change button i simply intercepted my request in burp and changed the UID of sam anjan with sam victim's and boooooooooooooooooooom.........it's showed a success message....i was like...

 Than , i went for checking if that password is applied to sam anjan's account or sam victim's account...after checking by logging out from sam victim's account and again re-logging into sam victim's account with new password(That i tried to set from sam anjan's account) , i was able to log-in with the new password...and i was like...time to celebrate...

Okay , So now i mailed them the report prepared and they confirmed the Vulnerability , they asked me what should be a fair amount for this type of bug? and i provided the figure that i was thinking to be appropriate but to my surprise they provided an amount which made me go nuts....

That was a really luck day for me :)

Here is the POC Video:

STATUS : FIXED 
Bounty:$$$$

Thanks for reading!!! Please do provide any suggestion / feedback.

Note:  Again now a days they are not providing any bounty , you can find their program in bugbounty platform.