idor affects all users

6 months ago 37
BOOK THIS SPACE FOR AD
ARTICLE AD

idor affects all users

How are you, my friends I hope you are well. Today I will share with you my first write-up about the first vulnerability I discovered of type idor in the global telecommunications company MTN.

I was searching for subdomains and found a domain that had the advantage of reserving products such as devices, books, and software. So I created an account and reserved a book, then I canceled the reservation. I intercepted the request in the burpsuite and started looking closely at the parameters and found this number at the end of the request

I was curious to know what this was, so I booked another product, canceled and intercepted the order. I found the same number with the value 1 added to it, so I knew that it was a unique number for each reservation, so I went to test the idor loophole, so I created another account and reserved a product, then I went to the order following the first account and increased the value of the number by an amount 1 The product for the second account was deleted

In this scenario I can delete all reservations for all users via a count brute force attack

Read Entire Article