UUIDs Unmasked: Exploiting IDOR for User Data Access

7 months ago 58

BOOK THIS SPACE FOR AD

ARTICLE AD

Hey Everyone,

My name is Satyam Singh, and I’m back again with another article where I will share how I uncovered an IDOR vulnerability within an application that utilizes UUIDs.

I was testing an application and discovered that it utilizes UUID values, making them non-guessable.

After some exploration, I stumbled upon a functionality that allows users to create an API token. Interestingly, the URL contained a “?account_id=” parameter, which passes numeric IDs.

Upon seeing these numeric IDs, I experimented by altering the ID values. Surprisingly, I found that I could access information about other users. 😄

I copied the parameter and explored other application functionalities where UUIDs are used. By replacing the UUID and adding the “account_ID” parameter, I could enumerate data belonging to other users. 😁

To show the Impact, I created two account, i.e., regular and admin users.

I created some data from the Admin account, which can be seen in the widgets area.

Admin users have widget data

In the below screenshot, regular users have no data in the widgets.

Regular users have no widget data.

However, after adding the “account_id” parameter, we can see the magic as the admin user’s widget data becomes visible. 😂

I captured the above request and sent it to the intruder to perform mass exploitation🙌

Regular users can view the details of the user by replacing the account_id

So that’s it for this article; I hope you all liked it

Thankyou😊

Connect me:🙌

https://www.linkedin.com/in/satyam-singh-893306221/