IDOR on API endpoints.

3 years ago 206
BOOK THIS SPACE FOR AD
ARTICLE AD

So, I was testing target.com from last 3 days. I found out some bugs which include Cross-site scripting, Rate limiting etc. I was not satisfied with what I had. So I start digging out for more. After an hour of searching, my eyes got stuck on a response of an API request, which was:

Work creation Response

You can clearly see, this response includes an ‘id’ parameter (“id”:2150). This took my attention.
This response was generated because I added a work experience to the profile on target.com. The original request was:

Work creation Request

Now I started fuzzing to that location. I tried a few things like creating a work experience of another user by adding some parameters in JSON, inside the body of the request but nothing happened.
I was about to move from this endpoint but suddenly I thought about checking the delete functionality of the work experience.
I deleted the work experience on my profile and captured the request:

Delete Request of work experience.

Now I think you have also caught that interesting parameter in that URL. The method was DELETE and URL was
https://www.target.com/api/user-firm/2150.
That number(‘2150') in the request again took my attention. Now see the response of the above request:

Delete Response of work experience.

The response contains the status code ‘204’ No Content. Which means that the work experience was deleted successfully and there was no content at that location.
Now I created another account again followed the above steps. I added a work experience to this profile. The request was:

Request for Creating work [2nd Account]

The response had something which again calls my previous thoughts.

Response of Creating work [2nd Account]

Here “id”=2151 which was successor number of the previous work experience which I had created with my first account. Now I got to know that this was going uniformly.
Now from the first account I again created another work experience.
Now the idea was to check for IDOR vulnerability.
So, I tried to delete the work experience of the 2nd account by using the request of the first account.
Make sure that you remember the creation id(2150) of the first work experience.
Deletion Request from my first account was:

Deletion Request from my first account.

In the above Request, I changed the value of the id from 2150 to 2151.
The response was:

Response.

Voila!!

So, I had just deleted the work experience of my 2nd account with my first account.
Again, I tried the same for adding educational details on the website. Luckily, I got succeeded again.

Read Entire Article