A $5000 IDOR…

?Mr.Hacker
Apr 16, 2019 · 4 min read

Hello Everyone!! Mr.Hacker here, in this article I’m going to describe about a critical vulnerability I found in one of the program.

Without wasting your precious time, the vulnerability which rewarded me the bounty was a Critical Idor which lead to broken access control to read messages, send messages, download all files of any user with the customer support.

Hacking Time

So once any user sends a message in the customer support chat box the following request was generated :

Image for post
Image for post
Fig: Request to send messages

As shown in the above image the user has sent “testing by john wick2!” text message which goes in the “text” parameter.

The response from the server was as shown below :

Image for post
Image for post
Fig: Response from server

The sent message was reflected back in the response sent by the server.

  1. Test Case-I : The first test case is obvious one, as seen in the request there is “id” parameter and I tried changing it to other users id and received the following response.
Image for post
Image for post
Fig: Error response from server

2. Test Case-II : I kept the id parameter unchanged and removed the hash value from the “user_hash” parameter, following was the response from server.

Image for post
Image for post
Fig: User hash is invalid

This means user hash value is mapped with the user id and hash is mandatory until I found the idor 😜.

3. Test Case-III : Now I removed the values of “id” and “user_hash” parameters and still received same error from the Fig: User hash is invalid.

4. Test Case-IV : Now only two parameter were remaining “email” and “anonymous_id”, i even made the value of “anonymous_id” to null and received the below response. 😭😭😭😭

Image for post
Image for post
Fig: F*CK!!! YAAA!! IDOR
IDOR!! IDOR!! IDOR!!

Finally IDOR!!.. So this means that the web application was some how misconfigured and on removing the values of all parameters excluding the “email” parameter, the server gave valid response, as shown in the above Fig: Response from server.

Hence now I came to know that the web application only verifies the email id of the user and returns the valid response.

Image for post
Image for post
Fig: Email Id is the IDOR-Request
Image for post
Image for post
Fig: Email Id is the IDOR-Response from server

Hence now if I change the email parameters value to any other users email id then I can read and send messages in his conversation, upload or download files. All I had to do is just shorten the post url till = /messages/web_v1/conversations_parent and the server would politely respond with all the conversation id’s, later I would just append the conversation id to get the conversations of the user, post url would be = /messages/web_v1/conversations_parent/[conversation-id]

Conclusion

Take away points from this article is, even if the server shows an error message on the first test case (Test Case-I), i.e changing the user id to any other users (default case for idor). Here most of them would think that it is not vulnerable to idor and give up.

But try to escalate it further by eliminating all the parameters values one by one and you might hit your target like I did and also it is not necessary that idor is only followed by any numeric value, like in this case the idor was the email, changed to other users email and you would see his conversations. So idor can be anything not mandatory it has to be incremental number only.

That’s it, I hope you liked this article and Happy Hacking!.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store