!NF0RM@T!0N D!$(L0SUR3 v!a !D0R
IDOR IS PURE LOVE Part - II
Hello Friends!!! , Welcome to MultiVerse Bugbounty blog , This is Pratyush. Before going further i would like to let you know that the above heading "Part-2" is not going to be another part of exploitation of the "1st Part". Here i will be talking anything\everything about information disclosure via IDOR.
So Let's begin the journey of a LOVED IDOR that will give you access to all the information of any customer who is registered in the web application(approx. 25K Users) and by the way it also provide you access to modify their details too. I guess it's more dangerous than a SQL Injection!!!!
First time in my life , i saw something more devastating than SQL Injection , Oh Yes!!! It's much more serious because with change in user id's i am able to access anyone's details like user name ,API Token , their email ids , Phone Number and of course Home addresses too , More likely this bug was compromising whole Database.
So Let's go into some technical details and know more about this particular information disclosure bug via IDOR.
This was not a fine day , i was going through worst phase of my life and i hadn't received any bounty for the last month and so many duplicates on CSRF and many stopped responding to mails. So after so much struggle finally the day came when i can see some $$$$ in hands. I was like....
So i visited this site , Not this link and than i normally signed up with any email id and than i went on to check to the account settings tab of the web application(I know most of us for big bounty we look for all bugs in this particular area 😉😉😉😉) and checked if there is something like user id or something being shown up in the url but Nope!!! No Luck , This B!tch ain't that easy(Yo ma-man we need to work harder this time).
So i went ahead and intercepted the request and checked if something can be made out for the big time.....What i found was....
So what we got here!!! , Oh hell yeah!!! the application is using a user_id for data update on the database and hence, again IDOR comes into play. All of us now will be thinking to create another account to check if the IDOR is possible by changing the user_id but this time i was more curious to see "RESPONSE" of the server with my modified request , with assumption of getting no juicy response from the server , i hit the enter button in my keyboard.
What i saw next was something that brought tears of happiness , i was like holly molly Sh!T!!!
What i basically did was i changed the User_id to a random User_id and it showed me with the below page with all personal information....
Let's check out the process and get to know a proper POC steps so that we can learn few good things...
So basically, i am in the below page in profile section of my account...
If i intercept the response while saving my details , i will be getting into below situation
So what i did next is that i went ahead and sent the request to "Burp Repeater" and i checked if there is something that can lead to a big time thing......
I was in cloud nine , i was literally shocked to see what i witnessed that day.....
So i went ahead and intercepted the request and checked if something can be made out for the big time.....What i found was....
So what we got here!!! , Oh hell yeah!!! the application is using a user_id for data update on the database and hence, again IDOR comes into play. All of us now will be thinking to create another account to check if the IDOR is possible by changing the user_id but this time i was more curious to see "RESPONSE" of the server with my modified request , with assumption of getting no juicy response from the server , i hit the enter button in my keyboard.What i saw next was something that brought tears of happiness , i was like holly molly Sh!T!!!
What i basically did was i changed the User_id to a random User_id and it showed me with the below page with all personal information....
Let's check out the process and get to know a proper POC steps so that we can learn few good things...
So basically, i am in the below page in profile section of my account...
If i intercept the response while saving my details , i will be getting into below situation
So what i did next is that i went ahead and sent the request to "Burp Repeater" and i checked if there is something that can lead to a big time thing......
So i was able to identify the loophole right there , when i saw that the web application "Response" is also having the "{"id":"User_id"}" in JSON format. So i was like.......
Okay , Now i can play with the parameter to see if IDOR can be used to leak information from the Data-Base. So i changed the User_id in "Request" of Burp Repeater and i got an amazing response with the details of another user as you can see below...
I went ahead and changed the user id to another random id and i was provided with all details of that user...
Further to confirm for my satisfaction , i went ahead and again intercepted my request and changed the User_id to another id to see the response in browser.... I was provided with hell lot of details.....
So what i learnt from this is that "Never Skip" checking the "Response" of any such Requests.
Hope So you have found something new in this post and thank you for reading :)))
Stay blessed and keep Hunting!!! 😎😎😎😎😎
Stay tuned for a good Bug Report on NEXT post.
Great writeup bro and how much was Bounty
ReplyDeleteWas good enough bro...
Delete