.png)
1 week ago
12 BOOK THIS SPACE FOR AD
ARTICLE ADidor affects all users
How are you, my friends I hope you are well. Today I will share with you my first write-up about the first vulnerability I discovered of type idor in the global telecommunications company MTN.
I was searching for subdomains and found a domain that had the advantage of reserving products such as devices, books, and software. So I created an account and reserved a book, then I canceled the reservation. I intercepted the request in the burpsuite and started looking closely at the parameters and found this number at the end of the request
I was curious to know what this was, so I booked another product, canceled and intercepted the order. I found the same number with the value 1 added to it, so I knew that it was a unique number for each reservation, so I went to test the idor loophole, so I created another account and reserved a product, then I went to the order following the first account and increased the value of the number by an amount 1 The product for the second account was deleted
In this scenario I can delete all reservations for all users via a count brute force attack
![Bug Zero — This month in Cybersecurity [01–15 May]](https://miro.medium.com/v2/resize:fit:1200/1*h63f69fTQzKlHMBsy-3a0Q.png)
Bengali (Bangladesh) · 
English (United States) ·