The Great Photo Heist: IDOR Vulnerability Strikes Again

Hi every one am back again with another bug i found it while i hunt in private program at hacker one and i can’t say the program name so let’s give you summarize and dive into the details

Summary:

This writeup describes an Insecure Direct Object Reference (IDOR) vulnerability discovered in a shopping site’s partner .

The vulnerability allows attackers to potentially download any uploaded photo on the server, including business licenses, institutional premises photos, and proof of student enrollment.

I have choose shopping site to search for bugs on it let say the site is <https://service.target.com>

and this service’s site allow you to register as partner and after registrations and verification your email and phone number there is tap call Settlement related and in this category there My entry in this tap you need apply for admission and get approval and in the apply for admission there Settlement and have many types

let’s choose Operation service as start attack point :

and after fill all blank field and in the Business license photo i have put square in the screen shot and this the vulnerable place .

so after i have submit my application and back to My entry tap thinking what if the download function where i have upload the photo's is vulnerable to IDOR

Than i go to edit operate

and i scroll down and found that i can download the Business license photo

than i click download and intercept the request in burp suite and sent it to Repeater to check possibility of the IDOR

Than i start guessing the number i start with number 1 and surprise the IDOR is possible and i can download all photo’s that uploaded in the server .

The target service should implement robust access control mechanisms to prevent unauthorized access to uploaded photos.

Thank you for reading. If you have any questions , feel free to ping me on X , or LinkedIn.