How i found Multiple IDOR

Hi People, My name is Nikhil Rane a Bug Bounty Hunter from India. I never tried writing blogs as i am not use to writing article but lately i started exploring into the write-up and a lot of people keep on asking me what kind of vulnerability i report, So here is a glimpse of my recent attack. I will try to write more :)

So i came across a private Bugbounty website. Where there is a login functionality, which i always look for so i can get the wider range of attack's. I always go for the sign up and login website as i get multiple parameter and functionality to test.

IDOR is a vulnerability which comes under the Broken Access Control Category in the OWASP top 10. As we know when we create an account every account has its own unique id number which can be random as well as in the sequence, just like when we were in school each student has its own roll number. Through IDOR we can do multiple things such as read, change and delete things of other users. So just by changing the id number to victims account’s id number we can delete other users data, read other users data as well as change other users data according to request.

I started navigation all the things in the website and exploring the parameters, there was a option to create your Wishlist, add item in the basket and delete item. So initially i went for the stored XSS and other injection attack which I was blocked by the firewall. There was CSRF token placed on every other functionality so i tried bypassing it but failed.

I started adding thing in the basket and started playing with the parameter. Sadly i didn't found anything interesting. I navigated to the basket page and i found out that there is an option to delete the basket. I intercepted the traffic and found out there is no CSRF token so i immediately generated CSRF POC but while generating CSRF POC i found out that the basket is having the unique number so i dropped my plans for CSRF attack.

Immediately i created another account stating it is victim and added item in the victims basket copied the victims unique id number of the basket and replace it with my id number. The item was deleted from the victims basket, so i started testing same vulnerability on the adding item, creating wish list and deleting wish list. As there was the same functionality used by the developer i was able to exploit the same.

Now the question is how I will get the unique id number of the victim, as here i am knowing the unique id number of victim. Lets take an example, if my id number is 100 so i know there are people with account number 1 to 99. I will make a list of numbers in a text file from 1 to 99 and will perform the brute force attack.

To show more impact in deleting basket, i mentioned in the impact that an attacker can create a file with uniquid id from 00000000 to 99999999 and can do brute force attack on the unique id parameter, so attacker can delete all the users basket item. While deleting i will be getting the legit id number of victim as i came to know when basket is deleted it was showing 302 status code in response, so i can change the name of the wish list just to trouble or troll the other users. Similarly i exploited this IDOR on changing wish list name and deleting wish list. Still more things to be explored in website. As i was able to chain my attack it is impactful.

As there are multiple similar functionality in the website there are high possibility of chances similar vulnerability can be exploited. So keep on exploring functionalities.

Within a couple of days, i got a reply and the reward is yet to be decided due to Easter break :)

I hope you enjoyed reading it.