.png)
3 years ago
124 BOOK THIS SPACE FOR AD
ARTICLE ADSo i was testing a private program, with lots of unique features & functionalities. And after testing for a while, i found couple of stored-xss which i won’t discuss here. And after month or so; I though i should look for IDORS; but at-first couldn’t find any 😞
Then after testing for a while i though of a scenario which goes like this:
Suppose this is the application with lots of Tabs! And in one of them, i can create objects which is further used in creating another type of object;
Also as there are objects, then also must have unique identifiers (ID) also!
I tried IDOR on creating, deleting, updating etc… but noting works!
Now if you can focus on Object X-2's objects, you may see that it’s using objects of Object X-1
What if i change the ID of Object X-1's object that is pointed by Object X-2 object while editing the object of Object X-2 😁
So Objects X-2’s object is now pointing to the Object X-1's object which doesn’t belong to current project!
Well It worked 😸 and i was like
yeyeyscenario:
Malicious user can read/points to objects that belongs to other projects.
reward: $300
Takeaway:
Don’t just test in basic manners, because it’s already done before like 10000 times. Good Dollars requires good prospective 💰
![16 Times Forced Browsing Leads to Authentication bypass [ 300$ Bounty ]](https://miro.medium.com/v2/resize:fit:1200/1*HjbmfPos5Gtyq_GE7kwDEA.png)
Bengali (Bangladesh) · 
English (United States) ·