IDOR leading to Mass Account Takeover | SecurityDudePK
In the world of web application security, one critical vulnerability that we often find is the Insecure Direct Object Reference (IDOR). Understanding IDOR is very crucial for both security professionals and developers, as it reveals how attackers can gain unauthorized access or manipulate sensitive data by exploiting elements in a web application’s URLs or parameters.
Today, we will discuss how IDOR can lead to a mass account takeover scenario. Please note that all actions described are for illustrative purposes only and do not endorse any unauthorized or unethical activities.
Analyzing the Target Website:
I begin by examining the website that provides travel consultancy services. Using the Wappalyzer plugin,I identify that the website is built on ASP.NET and hosted on IIS on a Windows Server. This aligns with my expertise and interest, as I already has experience with ASP.NET from my Final Year project.
USER ACCOUNT TAKEOVER:
1: Account Sign Up:
Step 1: I started with creating a user account on target website.While account registration, I found that It offers 3 types of accounts while registering
1: User Accounts: (who want to go abroad for studies or Job purpose)
2: Travel Agents Account: (who provides service to user for moving to other countries)
3: Professional Agencies Accounts: (For Big Consultation Agencies)
Initially, I created a user account. Surprisingly, the website lacks password requirements and email verification, which are commonly seen in modern applications. I was able to set a simple password (“1”) for our test account
2: User Dashboard:
Upon login, I accessed the user dashboard, displaying our profile information, including email and phone number. Additionally, there is an option to change passwords, which we’ll explore later.
So Now ,I again refreshed user dashboard and Captured the request in Burp suite.
When I saw the request , I noticed that in Cookie this is a Object SALogin. This has 3 Values memberID,membername and member type
1: memberID is really Important. It was assinged whenever any on create an accounts on this website.
2: memberName was simple name that a user provides
3: memberType Identifies account type of account. like 1 for users,2 for Agencies and 3 for Travel agents.
When i saw this , I modified this request by simply deleting memberName and memberType.After modifying this request I forward this request.See Below Image for reference
When i sent the request, I got Server Response of 200. It means that IDOR Vulnerability exists. So I simple modified the memberID from 357920 to 357922.See below image
Boom After sending the request, I can clearly see the result in the response tab. I was able to see Personal Details Like Email,Phone Number and Location linked to this memberID.
3: Changing Password of Account:
Now I tried to change password of this new account, But I was facing an error because for changing password ,we should know the current password.
As we did IDOR from Cookies,so when I refreshed page. I was in my own account which i created for testing purpose.
I tried to look on the change password functionality from my own account. I saw that. when we enter our Old password and then New Passwords. The system first sends a confirm password request to verify current password. and then after verifying It again sends another request to update password. I captured password change request in Burp. See Below Image.
We can clearly see that It is passing our password into a new variable newPass into the MemberID. So I sent this request to the repeater and then tried to change password with the MemberID: 357922, as we already knew the email of this memberID from Image 2.
In the Above Image, You can clearly see that I have changed the Member ID where there is arrow. This means we can change any user password through this only via memberID. You can also see the underlying memberID in the Cookies from above Image. It is different. then i sent this request and Boom It worked. We have succesfully found Account takeover Vulnerability.
MASS ACCOUNT TAKEOVER:
We can now iterate through all registered user IDs and set a password of our own through the password request leading to mass account takeovers. A simple vulnerability like IDOR can do a lot if left unpatched.
We can now iterate through all user IDs and set a password through the vulnerable endpoint leading to a mass account takeover. This is how a simple vulnerability like IDOR if used right, can have a huge impact.
Consultant Account Takeover:
I was really happy as this was my first Bug after practising on Tryhackme and PortSwigger Academy. But I was not satisfied as the User Level Account donot have much acess so I thought lets try to hack the Travel Consultants Accounts.
1: Account Register:
I proceed to create an account as a travel consultant, which requires similar details (name, email, password, and phone number).
It’s worth noting that the MemberType for consultants is set to 3, I got this in Burp Request.
2: Account Login:
Upon logging in, I access the consultant dashboard, which indicates that our account is unverified. This verification process requires interaction with the authorized team.so I got a bit sad but I continued.
Consultants possess certain privileges, including database access to user information and their preferred countries of travel. The intention is to investigate verified consultant accounts while adhering to ethical standards.
I found out that url for both user homepage and Consultant homepage was different, It means the Views in ASP.NET were built different for both of these Account types.I then Again captured Dashboard Request in Burp.
Here Again ,we can see that SALogin is present in Cookie, means we can again do IDOR and gain acess to accounts, But one noticeable thing was the memebrID. I tried to do but got failed because almost 90% of the registered are users with MemberType:1 and they have Different url’s for Dashboard and manage profile page. Even If we try , I was getting 404 Error.
So I thought lets use Intruder to do find Consultants from the memberID
Using Intruder to do IDOR on Consultants member Type:
To locate consultant accounts, I used the Intruder tool to exploit IDOR on the MemberType parameter.
Step 1: I setup payload on last 4 Digits number of MemberId as you can see from above Image 12.
Step 2: I set Payload of Numbers from 1 to 7000 as you can see from above Image 13.
Step 3: Next step is to select the resource Pool and then click on Start as shown in Above Image 14.
Results of Intruder:
The Intruder tool helped me to identify valid consultant accounts by analyzing HTTP status codes and length differences. This method allowed to locate consultant accounts effectively.
So lets Give it a try. Just copy this request and send it to Repeater and then see the result.
Resetting Password via Password Requests :
Once a verified consultant account is identified, I attempted a password reset using a request similar to what was used earlier for user accounts.so I used the same burp request and only replaced memberID of the consultant account.
In the above Image , You can see that we have successfully changed password of the account we found through Intruder.
Within consultant accounts, I discovered a section containing user details, including names, qualifications, and preferred countries. This level of access raises serious security concerns.
After finding this bug, I immediately reported this to the website owner, so that they can take steps to remove these vulnerabilities.
I was really happy to find this vulnerability as this was my first. I have spent a lot of time to make this post for you guys.
Kindly Do like it. and make sure to follow me on Youtube and Linkedin.
Youtube: https://www.youtube.com/@Security-Dude-PK
Linkedin: https://www.linkedin.com/in/ahmed-raza-dinexo-technologies/.
Take Care and Peace Out.
Disclaimer:
The content provided in this text is for informational purposes only and does not endorse or encourage any form of unauthorized or unethical activities, including hacking, data breaches, or other cybersecurity-related actions. The author acknowledges the importance of adhering to legal and ethical standards when conducting security testing and vulnerability assessments.
