The fine line of IDOR! (ESET $WAG)

Hello everyone,

Today, we’re going to talk about the vulnerability that I found in ESET a few months ago. The vulnerability has been fixed and I’ve got permission to make it public, so we can talk freely!

Before I talk about the vulnerability, my purpose in preparing this write-up won’t be to explain IDOR, so I’ll assume you already have basic info on IDOR.
So, let’s get started!

Basic Recon

I’ll keep this part pretty short, because there’s nothing extra. Shortly, I was examining the sub-domains on ESET services and I arrived at the following type of application panel.

Let the war begin!

I registered to the application and tried to understand what was going on. There wasn’t much, basically the following message caught my attention.

It looked like a welcome message. I opened the Intercept and tried to delete the message directly by clicking the cross button.

I came across a request like the one below. Nothing caught my attention at first glance. I was looking for any object id but didn’t find what I was hoping for. I sent the request and the message was deleted. I couldn’t even get close to IDOR.
After a few minutes, I looked again at the request’s post data and one parameter caught my attention. The “mainTable_selection=” parameter was empty. It looked like I hadn’t selected any objects even though I had sent a successful request and deleted the message.

Here is the fine line of IDOR!

I went back to the application panel to find the object id, I was looking for a feature where I could change the request. Of course I wasn’t sure if there was an IDOR here, I was just trying my luck.

And yes, you noticed, right? I repeated the deletion process again to see what I missed and I noticed it too.

I resubmitted the request and looked at what would change.

I immediately created a victim user and changed the object id with his welcome message. My victim’s welcome message has been delete, BINGO!

The message select button was working directly in the backend with the “mainTable_selection=” parameter and didn’t really check which user the object belonged to. So, IDOR’s fine line led us to the goal as a result of certain features.

I reported this vulnerability to the ESET Security Team and was rewarded with SWAG. I hope you enjoyed!

Reported — Dec 5, 2020
Awarded — Dec 23, 2020