I Found An IDOR Flaw where users' attached pictures and documents were leaked.

7 months ago 41
BOOK THIS SPACE FOR AD
ARTICLE AD

AjakCybersecurity

Thank you for 2K Followers, keep showing love :) Hi, Ajak Amico’s welcome back to another blog. I will explain how I found an IDOR vulnerability in a particular API request which led to see other user’s attached documents and pictures. So before starting, if you haven’t subscribed to our channel, do subscribe, guys.

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)

Follow on Instagram:AjakCybersecurity

So the first step of my recon was to do subdomain enumeration, and to do this, I used the below-mentioned online tool, just quick and effective https://subdomainfinder.c99.nl/ and used Bulk URL extension to open and see live domains. on the other side, I just hit my Kali Linux and used waybackurls to fetch archive URL’s

Hence, this is a site where users will create tickets and send complaints regarding phishing and banking queries. The website had different features such as creating posts, login page, register page, attaching images and documents to the post and so much stuff. so I wanted to play it now.

The website had Cloudflare WAF, when you try to insert any malicious queries in any API, your request will be blocked, It was a good site to play with IDOR vulnerability, but my request kept on blocking, and the important thing about exploiting here is, if community manager finds your response is suspicious your whole account gets banned, for me 2 accounts got banned for doing brute force, and inserting SQLI payloads when submitting tickets.

Ok coming back, I created a support ticket, and you have options like attaching images and documents, so immediately I attached an image, and, clicked on the preview ticket, and this is how it looked

before posting it, I clicked on the copy image address and opened it in a new tab, and my request looked like this

https://www.taget.tld/attachment.php?attachmenid=423&id=1713291982

I tried to change the ‘user id’ nothing worked, but once I changed my ‘attachmentid’ I got a new picture in my browser, that took with some bank details and address. I was surprised and captured the request and response in burp, this is what it looked like.

GET /attachment.php?attachmentid=423&id=1713291982 HTTP/2
Host: target.tld
Cookie: xxx
Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
If-None-Match: "425"
If-Modified-Since: Tue, 16 Apr 2024 18:26:23 GMT
HTTP/2 200 OK
Date: Tue, 16 Apr 2024 18:29:21 GMT
X-Powered-By:
Etag: "425"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: : nosniff
Content-Security-Policy: frame-ancestors 'self';
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Cf-Ray: 87563d83af23643f-LHR

No CSRF_token💀 and now I was able to download many images and documents of other users as mentioned in the below picture. for security reasons, I have blurred all sensitive information and transaction amounts

Ok, now the toughest job is scraping each and every image and PDF’s manually, as I already, said, your account will be banned by community manager, if any malicious or brute forcing takes place, so I opened chatGPT, and told to give me 50 requests just by changing the attachmentid one-by-one, like below

Now I opened bulk URL extension and just pasted all the URLs which ChatGPT gave, like the mentioned screenshot below.

This opened me all 50 requests in 50 new tabs, this took a little bit of time, but worth going through it, as I got even more sensitive info from the user-attached pics and documents. hope you enjoyed it, I will see you in the next blog :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our Youtube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity

Read Entire Article