IDOR Vulnerability in Payment Gateway Exposing User Order Details

بسم الله والصلاة والسلام على رسول الله ﷺ❤️، اللهم علِّمنا ما ينفعنا، وانفعنا بما علَّمتنا، وزِدنا علمًا نافعًا

During a recent security assessment of a payment gateway, I discovered an Insecure Direct Object Reference (IDOR) vulnerability that allows unauthorized access to order details. By modifying the MDORDER parameter in an API request, an attacker could retrieve sensitive payment data belonging to other users .

This vulnerability poses a serious risk as it exposes order numbers, transaction amounts, and merchant details, which could lead to financial fraud or privacy breaches .

👉🏻Was like this : { POST /payment/rest/getSessionStatus.do }

MDORDER: This parameter is used to reference a specific order, but there are no authorization checks to verify if the requester owns the order .

Step 1: Capture a Valid Request

Using Burp Suite or a similar tool, intercept a legitimate request to fetch payment details :

Example Request :

The server returns payment details for the specified MDORDER.

Change the MDORDER value to another random or incremented order ID.

MDORDER=O8kWAA51CpNfVJAY5XQ43&language=fr.

The response confirms that we can access another user’s order details simply by changing the MDORDER value—indicating a critical IDOR vulnerability .

Information Disclosure: Attackers can extract financial details of other users .Enumeration Attacks: If MDORDER values are predictable, an attacker could automate requests to retrieve thousands of orders .Potential for Fraud: If the system also allows modifications to orders, attackers could cancel payments, manipulate transactions, or conduct refund fraud .

1♦️ Sensitive Information Exposure : High .

2♦️Ease of Exploitation : High .

3♦️Potential for Abuse : Critical .

📌 Overall Rating: HIGH (Critical if modification is possible)

If there is any knowledge to share with me I will appreciated 🤍 >.<