How i was able to see All Users public IP's Via !D0R

IDOR:The Purest form Of Cyber Magic!!!

Hi Friends and welcome to Multiverse Bug bounty blog , Here we love hacking more than The Flash like his speed force. So this is already winters and here i was stuck in a site which could help me with some bucks but it was too much secure , secure like they have added session/tokens to the log-out button , if you know what i mean. They have taken every aspects of security into consideration to make it safer for all their customers but......a big freaking BUT somehow , somewhere on the line they have missed a particular place where i think we researcher will never search for bugs(at-least i would never do) but i learned my lesson in this particular site and it's always a new experience to see something out of the usual , it teaches you beyond what we know , what we have learned or what we have seen there are far more new things that can be useful or can come handy in your future hunting's.

So Here was this site , in which there is steel enforced security , i already told you why i am encouraging the website security , so i got a ping in my linkedIn that the owner of this site was searching for a pentester and if i can report them security issue than they can pay me bounty(won't be sharing the chat sneak pic) while the owner was polite enough to talk to , the developer-cum-sec analyst was too ridiculous(will let you know why i am saying so in a moment). So the owner said they would like to pay in 4 digits if the security issue I will be reporting is directly impacting their customer safety or the business but if the Category changes to any other they won't be able to pay anything. In my mind, What the freaking Hack??? so, if i find something which is medium/low i won't get anything and if it's critical and it don't hamper the business or the registered users than also it will be waste of time. The Owner also added that if you report a critical one than we will consider all your medium type vulnerability report to be awarded as well(Hmm, this is interesting , it's like a challenge and to prove that i have a deep understanding of the security). I said okay and the owner diverted our convo to the developer , he sent me a mail saying "Hi! , I heard they have hired you to do sec Audit , guess what it's totally secured and they should not have hired for any of these because i am a dev-cum-sec-incharge and i know punk like you won't be able to find anything rather then content-injection/XSS". I was like.....


To which i replied with extreme politeness ," Than it's a challenge for me ,  guess what let me check out your application and get back to you in a while and that being said I would really like to know what is the reason for being such rude in the first place?" And then there was a mail from him saying "You an indian". I was like...

Okay , I guess this guy has some mental issues and i just replied "Let's talk over my report then" and started checking out all the features they have in-place , everything was perfect , every access control was in place where it belongs and i was about to lost it when i saw something which shouldn't be anything to look-into specific , By the way this was a SaaS based company that i was dealing with , so I was here as you can see below...

So , You can see that everything in this scene is quite good but what the hack is a "Microscope" doing in that place , have they put it for viewing the profile of that user as another user or is it to view how the profile will look to another user?

Being a Hacker , we love to click on each and everything that is on our reach and so did i click on that icon , I was provided with this 

Cool! , Everything is in place , it's showing me my name and my logged in Ip....and everything looks way normal as it should be but than the "URL" , you can see below...

May day! May day! We may have got into a situation , i was like....

In the first glance i missed it because , overall app was secured and i was not expecting anything in this block of the site but than again yes , i can see there is a parameter which is directly accessible to any user who log's into the web application and we may have situation where if we change the parameter value it would give us all the information of other users with the anger in mind to give a solid reply to that dev-cum-sick-freak i change the value and hit the enter button(We all kill this button of the keyboard with a evil laugh in mind).
It gave me all the details of another user , I was too much happy and i enjoyed that challenge and it's time to shut that freak's mouth.

Below you can see the #POCS for the IDOR bug which was disclosing personal IP's of all the users...

Then another user_id revealed that user's details.....


So , finally i made the POC and report and sent to the sec-freak with Ccing the owner of the company because that dev was freak he might patch and tell the owner that it's false. The owner was happy and he reward some good amount of bounty for this one and for the other's i reported after that.... I sent a mail to the freak with Ccing the owner saying that , "you were saying something that this is security proof  and a person like me won't be able to find anything but XSS/content-Inj , guess what you under-estimated Indian Sec Researchers , I just Bypassed your security without even opening our favorite tool,i.e,Burpsuite". Silently a mail came from him saying Sorry for his behavior earlier.

The Owner really knows how to make a Hacker Happy , Got rewarded with $1337....

 
Thank you for reading :)

Keep Hunting and Keep Learning๐Ÿ˜๐Ÿ˜‹๐Ÿ˜Š

Comments

Post a Comment

Popular Posts