.png)
4 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
Intro : Hello Hackers!!👋 what’s up. Hope you are all Fine. Today I will discuss about exploiting IDOR Vulnerability to change Account’s Name. This is very much Straight Forward so let’s dive in.
According to the program *.domain.com is in Scope. So I collect all the Subdomains and start Hunting.
So at 1st I try to Attack the Main Web-site. Here I have created an Account named Admin and Renamed it. Here is Request & Response.
So if you closely look at the URL you can find a Unique Identifier Here.
POST /rename-account?id=XXX-XXX-XXX [OK]Now for testing purpose I also add an Attacker’s Account.
Here I changed the Tab name to ADMIN & ATTACKER for better understanding.
Now form the Attacker’s Session I Replace the Attacker’s ID to Admin’s ID.
And also change the Name to ADMIN_HACKED to show the Impact.
And after hitting send I got 200 Success Message. 😎
Now when I reload the Admin’s Account … Boom. I saw the Account Name has been changed to ADMIN_HACKED.
Then quickly I make a report and submit this to the Team. But unfortunately it closed as Duplicate.😐
No matter….keep hunting even you get Duplicate. It will boost your Skills & Confidence.
And that’s it for today. Hope you learn something new. Stay tuned for my next Article.
THANKS FOR READING!😄
If you like it don’t forget to Like it and Follow me for more Articles.
Happy Hacking~
Bengali (Bangladesh) · 
English (United States) ·