.png)
2 weeks ago
25 BOOK THIS SPACE FOR AD
ARTICLE ADREDACTED is a web store that sells a variety of products. While conducting bug bounty hunting on this target, I stumbled upon some vulnerabilities. This time, i focused to test IDOR in All Functions After some time i found a one.
Before purchasing any product, users can add items to their shopping basket. During my testing, I identified an IDOR vulnerability that allowed an attacker to delete items from a victim’s shopping basket without their consent.
But it’s very hard for the program to accept, How the Attacker will get Victim’s [basketId — itemId] ?
-> attacker maybe bruteforce itemId but basketId it’s impossible
So I decided to find a way to obtain the basketId
After Some Searching i discovered a GraphQL Request that retrived the basketId and itemId
In the Request have [Cookie — basketId] to check of the user
basketId -> I can’t know this but after some thinkingI tried to remove it but got 400 bad request
i wrote null and the surprise it’s worked if i but any value in id like (null,test,1 ,etc…)
Every Request give me another basketId
This discovery revealed that the server did not check the user’s cookie for the basketId.
Cookie -> Not Checking
Now we have the answer of the question Victim’s [basketId — itemId]
I can delete items from a victim’s shopping basket
the weird here after delete any items from a victim’s basket my products have been added to victim’s basket. it’s like a bonus XD:)
let’s Report it…
That’s all for today. I hope you all enjoyed it and learned something new
My all links Here
Bengali (Bangladesh) · 
English (United States) ·