IDOR leads to leak medical insurance documents

3 years ago 154
BOOK THIS SPACE FOR AD
ARTICLE AD

Abdullah Mohamed

Hi everyone, today I will talk about IDOR vulnerability that I found it in a insurance company that leaks the medical insurance documents of nearly 100,000 customers.

At first, I will tell you a little story about how I found this company?

One day, I applied for a visa to travel to Saudi Arabia, and among the requirements for obtaining a visa is to obtain medical insurance from an insurance company, I chose this company and let’s call it Example company. After I paid the fees for this company, they sent me URL of my medical insurance document, and the URL was like this:

https://document.example.com/1682425711431052.pdf

The file name was the same as the insurance policy number, so if you knew someone else’s insurance policy number, you will be able to get his insurance document. But at that time I didn’t pay any attention to the matter.

How I found the vulnerability?

I received an email from the company offering a service regarding the risks of infection from Corona Virus (Covid-19) and to pay and get this service, “Please click on the following link”.

When the link is opened I found my passport number and insurance policy number in front of me, I threw quick look at what the URL looks like, it was like this:

https://www.example.com/en/AddBenefit/62251

I changed the number in the endpoint to 62252.

Surprisingly, another customer’s page appeared to me containing his passport number and his policy number.

After that I sent the request to burp to find a way to dump all the medical insurance documents at once. At first I have to fetch all the policy number of all customers, so I sent the request to intruder.

The request: https://www.example.com/en/AddBenefit/$Payload

Payload Options [Numbers]: From 00000 To 90000, Step:1

Then I used Grep - Extract option to extract the policy number from each response.

Grep - Extract option

The attack was successful and I managed to get the policy numbers.

Note: my purpose was not to dump all the medical documents but I did this attack only to escalate the severity, and actually the payloads was only 100 numbers.

I copied all the policy numbers from burp, then I put them in a file named policyNumbers.txt. Then I created a small script that takes the policy numbers from policyNumbers.txt file and give it to the URL that downloads the medical insurance document.

The script was like this:

# /bin/bashfor num in `cat policyNumbers.txt`
do
wget "https://document.example.com/$num.pdf" -O $num.pdf
mv $num.pdf files/
done
Read Entire Article