IDOR — Let’s delete any account
What I really like to do when I start using any website is to check if there are any vulnerabilities in the application, but as you know not all the companies will allow to do that ! so be careful .
I contacted the owner of the website to ask for a permission to do some Pen-testing on his web application and fortunately he accepted and gave me the green light .
The application is a SaaS , the owner is providing a service and you can select a subscription to use the system .
What I found is an IDOR (Insecure Direct Object References) . you can read more about this vulnerability here .
So let’s explain what I did,
1 — I created two accounts in the website . (one for the attacker and the other one for the victim) .
2 — Confirmed the email address for the both .
3 — I logged in with the the attacker account , in this step I intercept the request and I got a Json response contains some cool stuffs, it says : “User is now Loggedin” but I don’t know why the guy is returning the other infos 👊 , as you can see we have the ID the user but It was encoded with base64 .
Now, I know how my ID is look like . but after decoding it I’ve noticed something else , we had a prefix +ID , example :
PRF0012So It’s easy to guess the rest of the other user , just use your prefix : PRF + iterate the ID .
Let’s get to the funny part , the website has a functionality to allow you to delete your account if you don’t need it anymore , so I logged in with the victim account and I retrieved the ID , after that I’ve logged with attacker account and instead of deleting my account, I’ve replaced my base64 with the victim base64 instead and .. BOOM 👌
{"success":true,"message":"User account deleted","error_code":200,"data":""}
I could delete the account of the victim without logging or even knowing his/her credentials.
The problem is that I can send this request to my Intruder and generate all the ID and empty the users table 😶 .
I did not share the website name because it’s still vulnerable .
The team decided to give me a reward of 700$ .
Check my gigs on fiverr :
https://www.fiverr.com/bohrhadi
Follow me on linkedin :
