Discovered a Critical IDOR and Earned $900 for My First P1 Vulnerability!

1 year ago 82
BOOK THIS SPACE FOR AD
ARTICLE AD

Hello Guys, It is been a very long time since I wrote a bug bounty write-up. Without any delay let’s get into it.

So, first of all, what is IDOR?
It is a critical vulnerability in web applications that occurs due to insecure references, allowing users to access private information belonging to other users.

Since I am not allowed to disclose the company name, we will refer to it as ‘Redacted Company.’

Instead of relying on automation, I prefer to do hands-on manual bug hunting. While reviewing a redacted company’s web application, I gained valuable information by closely examining requests and responses.

See What’s Hidden in the Screenshot:

A Request to “/get-messages” Using POST MethodA JSON Body with a “chatId” and Unique ValueAnti-CSRF Protection in “X-Csrf-Token” Header

Could the Request Be Vulnerable to IDOR? Might be yes, The Unique Value May Reference an Insecure Object.

Could the Request Be Vulnerable to CSRF? No, an Anti-CSRF Token in the Header Makes Exploitation Hard or Even Impossible.

So, Now let’s dig deeper with these leads.

Research Meme

I Quickly Created a Dummy Account and Obtained the ‘ChatId.’ Replacing it in the Previous Request Resulted in Information Disclosure. The Application Was Found Vulnerable to IDOR.

But, How Can I Enumerate ‘ChatId’ Values?

So I approached the task again, analyzing the application’s requests to enumerate chatId values. Unfortunately, I didn’t have luck and didn’t find anything useful.

I took a break, got a good sleep, and sat down with the task again. Always remember, when you are stuck, taking breaks can help distract your mind and give you the patience to think more clearly.

After 2 Hours of Analysis, I Uncovered a Cryptographic Failure and Information Disclosure.

I discovered a parameter called “messageId” and an endpoint that leaked messageIds for many users.

By breaking the cryptographic relationship between messageId and chatId, I discovered it was just a simple fixed byte increment. Now, I have access to private information for all chatIds associated with users.

So, I wrote a detailed report and submitted it with a proof of concept. After a week, the report was accepted and I was rewarded with $900.

What is the takeaway? Note down your leads. Analyze the requests and dig for more information. 🧠

Hope you had a valuable read, See you next time.

Follow me on Twitter, LinkedIn, and Instagram.

Have a nice day!

Read Entire Article