IDOR Vulnerability Allowing Unauthorized Access to Colleagues’ Bachelor Theses

Hello ethical hackers, hope you are doing well!

During testing a university portal, an IDOR vulnerability was found to view other colleagues’ uploaded bachelor theses.

IDOR stands for Insecure Direct Object Reference, and it refers to a type of security vulnerability that occurs when an application provides direct access to objects based on user-supplied input. In simpler terms, it occurs when an attacker can manipulate input to access, modify, or delete objects (such as files, database records, or user accounts) that they are not authorized to access.

The university portal allows each student to upload his/her bachelor thesis on his/her university portal account to be marked and graded by his/her supervisors. After uploading the thesis to the portal, you can check your uploaded thesis file on the portal through a URL ending with:

/[yourStudentID].pdf

Now, the question is can you change your student ID to another student ID to access his/her uploaded thesis? The answer is YES!

Changing the URL for viewing your uploaded bachelor thesis to end with an another student ID will view his/her uploaded thesis file.

The student ID is an integer number consisting of 7 digits. The first 3 digits are the same for all students and the other last 4 digits are dynamic:

/[200XXXX].pdf

Simply, the last 4 digits in the student ID can be brute forced to access other colleagues’ bachelor theses.

Upload your bachelor thesis on the portal.View the uploaded thesis file.Change the URL responsible for viewing the uploaded thesis file to end with another student ID.You can now view other colleagues’ bachelor theses without their permission.

Privacy Violation: A user should be able to access through his/her portal account only his/her uploaded file, not other colleagues’ uploaded files.

Thanks for reading this simple article. Happy ethical hacking!