Accidental IDOR

Injector Pca
Jul 1 · 2 min read

Hi guys I hope you all are doing good so this write-up is all about the accidental IDOR that I found in the PRIVATE program so let assume the name redacted.com I was checking the CSRF vulnerability in the update address functionality the API sending the JSON DATA to the server & there is no CSRF protection when try to change the content type to text/plain I got this

An error disclose the another hidden endpoint when i made a OPTIONS request to that hidden endpoint & checking allow methods

After trying the the methods one by one the GET method do something magical

If you notice in the hidden end-point there is email which is my own account email & then i created another account & replace the email in the end-point

I able to see my second account information & after further testing if I send the PUT request i able to update the address of my 2nd account & similarly if I send a DELETE request I able to delete the address on my 2nd account

./Logout

Injector Pca

Written by