How I Got My First IDOR Bug In Google

4 years ago 226
BOOK THIS SPACE FOR AD
ARTICLE AD

Aryan Tech

Hello My fellow Bugbounty Hunters And Infosec Community.I Am Anurag Kumar An BugBounty Hunter From India.I Hope You All Are good.So This is My Writeup About How i Got My First IDOR bug in Google Which was Leak Company Private Emails and sensitive informations.

Image for post

Image for post

What is IDOR

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly

So let’s explain what I did,

So This was started in May 2020.My Another Friend And Bugbounty Hunter Pratik Dabhi got His First Bug in Google And Honorable mentions.Motivating by Him i also Thought To Try in Google.I choosed an Google Aquision is my target.So Suppose that the target is redaced.com.I follow simple methodology that trying with go reconnaissance, gathering as much as sub domains with different tools like assetfinder,findomain,amass and another Resources.After spending 8 hours.I Founded a intresting endpoint in main domain and it was.

https://www.redacted.com/portfolio/{COMPANY ID}

So Basically its a company portfollio where on Individual Companies/Users Are Able to Contect to Company regarding His Projects And queries.After Exploring This portfollio I Notice that When i am trying to send message to company/users through portfollio, intercept the request through burpsuite and i saw that hidden parameter also send through hidden parameter which be like

<input name=”partner” type=”hidden” value=”companyemail” /> <input name=”company” type=”hidden” value=”another company sensitive info” />

And after that its redirect me to my gmail account.So i try to increment or decrement portfolio id parameter And i was able to fetch All INDIVIDUAL/USERS Personal emails And Other information through Bruteforcing {COMPANY} Parameter And After That I was like

Image for post

Image for post

I immedietly Reported This Issue To Google

03–05–2020 Reported bug to google

05–05–2020 Bug Accepted By Google And Honorable Mentions

Image for post

Image for post

Always Check hidden input parameter in Every Request And Response.Sometimes its gives you a good informations

Thanks For Reading My Writeup

Linkedin profile

https://www.linkedin.com/in/anurag-kumar-8413a0197/

Read Entire Article