My first 10k bdt bounty from an e-commerce site

Hello peps , Peace be upon on you.First of all that’s my 1st writeup so there maybe some lacking please avoid this silly mistakes.

So let’s dive to the journey of finding IDOR 😉. Normally that’s quarantine day I can’t go out to buy fish food for my lovely fishes.

Not exactly :3

That’s why I finding fish food on a well known e-commerce site of my country and ordered one packet of fish food.That’s appication was a function that after proceed an order it’s redirect to “Your Orders” page then suddenly I noticed the address bar and see the link it was

https://site.com/checkout/payment?orderId=xxxxxxx

my evil mind after see the param :3

Ah!!you see the param? 😁 I think you are thinking about the right thing what was I think.I fire up my Burp 🖤 and sent the intercept request to the Repeater.Then I change the value of param

https://site.com/checkout/payment?orderId=1111111

to

https://site.com/checkout/payment?orderId=1111112

But alas! It was showing 401 Unauthorized 😑.

Server be like -_-

So what! Should I give up or hunt deep? My evil mind was suggest me to hunt deep and I listen his words😉After digging more I came up to a process that “cancel orders” option. By using this option an authenticated user can cancel his / her orders.

Then I cancel my orders and intercept the request and the URL was

https://site.com/api-v4/Order/CancelOrder?orderId=xxxxxxx

I sent it to repeater tab and change the order id’s last value and I was shocked that the request’s response was come with 200 status code that’s mean I successfully canceled some user’s order without his / her account’s access

But I need to more confirm about this issue.So , I changed the last digit with another random integer but that time it shows 404 not found ! 🙄

Then I confirmed that If there is any order after canceling it shows 200 else 404 and through 200 response I was permitted to cancel any user’s order without any authenication.

I made a POC and reported this issue to authority.They fixed it and awarded me with 10,000 BDT.

Reported — Fri, May 8

Awarded -Thu, May 14

After all Thanks to my Allah for everything.Thanks to my PC , my parents , my friends and Specially someone 🖤 for their inspiration, helps and love.

Thanks for reading hope for a claps ;) pardon me for my mistakes.

Have a nice day. Be safe ❤

follow_me = [“Facebook”,twitter”];

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store