How I found an IDOR in my college website

Let me start with a “disclaimer” :P I am not a bug bounty hunter and I tend to align myself more towards pentetration testing and reverse-engineering so oppurtunites like these are rare for me and yeah and I did enjoy this experience and I hope you do too :)

— — — — — — — — — —

IDOR or Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input.As a result attackers can bypass authorization and access resources in the system directly.

— — — — — —

One day I decided to download the provisional fee receipt issued by our college. Now those of you who are unaware our college uses an ERP (enterprise resource planning) system to manage non-academic tasks.

That means anyone can extract personally identifiable information for any other user absolutely with zero authentication with only knowledge of the URL 😢

— — — — —

Now a provisional fee receipt pdf contains sensitive information among which student signature and official stamp which should be regarded confidential.

— — — — — —

My first point of contact was my college professor who advised me to draft a formal mail

Within minutes I drafted a formal mail after completing the formalities…

— — — — — — — — —

I will be honest here I have reported few bugs in the past and the response time is usually quite high but this was an exception. 😮

It was really amazing to see how after a few mail exchanges this issue was quickly escalated, brought to proper attention and resolved in a swift ~5 hr span which is exceptionally fast o_O

It’s fixed now so no use trying :P

Well happiness does not always lie in the monetary side of things 🤗 As a reward I did receive some kind words 😄 and an “official” permission to pentest the ERP system 😏

Although this entire experience was in itself an “adventure” for me since I was not sure how well it would be accepted but then it was ez 😋

*** You just read frostbite. Hope you enjoyed the article and suggestions are always welcome :)