Skip to main content

Do IDOR( Insecure direct object references ) Exists Everywhere ?


Hello everyone,
 
As infosec community has given me so much so i also plan to contribute in it
Also take it as a tip , i guess you can learn and report something out of it .



For those who don't know what IDOR is.

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly.

 Explanation of IDOR
 

Lets's assume a user has a user_id 123
so he access his/her account by visiting this link
https://xxxx/profile/123

He change user_id to 456
https://xxxx/profile/456
and he can get details of 456

So that is IDOR in simple terms.
 


 What was the bug exactly

So I was hunting on a company website and i subscribed for its alerts.
So i reported some bugs that some performed good and some were duplicates.

On late evening i got a mail from that company of some errors they fixed. From that mail i clicked on unsubscribe button ( I don't know why)

 It redirected me to their one of subdomains http://subdomain.target.com/unsubscribe/RKqUAQMAAW6guiHTrzqjsOMmq3Ysmw==

So when i click on unsubscribe button on that page i got unsubscribed from it.

First i think of it as base64  and tried to decode it but it wasn't base64.

Interesting as they was no authentication on it and everyone with the encrypted values can unsubscribe.

 So i created the another account clicked on unsubscribe it took me to http://subdomain.target.com/unsubscribe/ZKqUAQMAAW6guiHTrzqjsOMmq3Ysmw== 

So as you can see 

RKqUAQMAAW6guiHTrzqjsOMmq3Ysmw==
ZKqUAQMAAW6guiHTrzqjsOMmq3Ysmw== 

Only diff is in first digit 

I replaced that single digit with random alphabet and boom i was able to unsubscribe anyone.

 So I read js files of that program and came to know that i can also subscribe anyone by appending this to url action=subscribe&submit=Subscribe



  Timeline:
  1. Report Send
  2. Bounty Awarded 0$

 As data was not confidential and their was no leakage so i was awarded 0$ for it but i was glad to explore this side also.
 


 

Comments

Post a Comment

Popular posts from this blog

Solve http://xss-game.appspot.com/ Without Actually Solving It

First install web extension EditThisCookie from  http://www.editthiscookie.com/ Then open http://r00tz-web-intro.appspot.com/rootz And solve all challenges in it. They are all damn easy. when you have solved all levels in it and paste it's cookies in  http://xss-game.appspot.com/ and refresh the home page. And you will see that you have completed all the levels.
Post a Comment
Read more

Want a P5 bug or escalate it to P3 or P4

Hello Everyone, Many months back when i was testing on hackerone and i came across Jenkins instance. So first and foremost i did directory bruteforce and found interesting thing  on Jenkins instance i reported it got closed as informational as it was a VDP (was noob back there) I came across some more programs on jenkins instance and same error also appeared there . So i searched for more instances and it was working on all of then. What was the issue? Let's say target.com is jenkins instance so if we hit http://target.com/assets/ It throws stack error giving us instance information REPORTED I reported this to jenkins https://www.jenkins.io/security/ and after some days i recieved a  mail   I was so glad that i was going to get CVE in my pocket. BUT unfortunately So i guess i wasn't getting any CVE So if anyone want any information about instance or plugins feel free to use above method if not fixed Here's Jira issue https://issues.jenki...
Post a Comment
Read more

Can wrong code can lead to RCE?

Yes I am talking about Python input vulnerability which exists in only Python 2 version. Even code written in python 3 and  executed in python2 can be exploited. So I wrote test code in python3 and i executed in python 2 to check it Above is the following code Now it's execution It's performing some action unlike raw_input which considers everything as string. Now what if i type vulnerable code inside   And we can import any library also. Comment below to make it a reverse shell.
Post a Comment
Read more