IDOR ON EVERYWHERE

IU on Instagram

Hi oll, this time I will discuss a little about my findings that are considered out of scope. yup, this is an idor bug that I found, but unfortunately they don’t receive any activity after login, that’s why they consider this as out of scope. indeed, a bit strange. but, how can I find this bug, this is what we will discuss. I will divide it into 2 chapters of discussion, idor to delete shortlist all users and idor to change notes all users without interactions.

BAB 1 IDOR TO DELETE SHORTLIST ALL USERS

Because this bug is still unpatched so we can call it redacted.com, I tested all the features on their site and I found that this shortlist creation feature is vulnerable to idor attacks I found id_shortlist and my account id in the response. then I immediately tested it by creating 2 accounts so as not to disturb users.

Steps To Reproduce

create 2 account A as attacker and B as Victimcreate shortlist on account A and B to get id

3. in shortlist_id and userid change to victim id

4. click forwards and i get response 200 ok. now idor success to running on account victim.

BAB 2 | IDOR LEAD TO CHANGES NOTES ANOTHERS USERS

On this platform I found 3 idor bugs with different endpoints, the idor bug this time is changing other users’ notes without the need to interact with them. how can I get the bug?, let’s discuss.

Steps To Reproduce

Create 2 accounts. account A as attacker and Account B as Victimcreate notes on account A and Bin account A (attacker) changes notes and save and i get response like this

4. now on parameter shortlistid and userid change to id victim

5. click forwards or send to repeaters. if you get response 200 ok. your request is accept on servers.

Notes : Try playing around with your id parameter, if you make a request and get a 200 response, try checking it on the victim account or the second account. if there is a change then our request has been accepted and idor was successfully executed.