You Say Premium Features? Well, Not Anymore

How I Exploited an IDOR Flaw to Unlock Target.com’s Paid Templates

Hi, my name is Ahmed. I’m a noob bug bounty hunter, and I’d like to share with you my finding in a Hackerone’s public program

Before we begin, I offer my prayers for my brothers in Palestine and Sudan, asking Allah to grant them unwavering strength and ultimate victory

this is my first write-up so I will try to make it brief and jump straight to the main idea, without further delay let’s dive in

target.com is a platform designed to help users create presentations using boards, instead of working from scratch you can add templates to your boards and work on them, some of them are only for paid plan users, if a free plan user tries to access them, he will be asked to upgrade to a paid plan, so he can only preview them and feel sad, well that’s for free users not free hackers😉

after a few days of working on the app and not finding any BAC/IDOR, I asked myself what if I could find an IDOR when add a template or removing it, when adding a free template, the app sent this request:

GET /api/template-metadata-service/application/space-templates/for-preview/[template-id]?locale=en_US

so I thought what if I change ‘template-id’ to a paid template id

I went to preview paid template function and I found lots of ids, but when I swapped the IDs nothing happened and the free template was added

that’s where Match and replace come to play, adding this role to request header and request body

and boom 💥 I know can access any amount of any paid template

I quickly made a report and submitted the bug with high severity, just to be hit with an informative two days later, saying that they no longer accept this kind of bugs for some reason😅

the program had over 200 bugs and there was no signs of any BAC/IDOR bugs, so when I found this bug, I was really amazed how such a thing wasn’t reported before, the testing itself was not that easy but I tried to make things simple and clear, during these few days I learned that you should test every function on the app and don’t assume that because some of them are protected that all of them are and always be patient, the more you understand the program the easier it is to hack and get ideas

I hope that you enjoyed this write-up and it was useful, let me know if you have any suggestions related to bug hunting or my writing skills😅