Accidental IDOR

Saad Ahmed
Jul 1, 2019 · 2 min read

Hi guys I hope you all are doing good so this write-up is all about the accidental IDOR that I found in the PRIVATE program, so let’s assume the name redacted.com. I was checking the CSRF vulnerability in the update address functionality, the API was sending the JSON DATA to the server & there was no CSRF protection when i tried to change the content type to text/plain I got this.

Image for post
Image for post

An error disclosed another hidden endpoint, when i made an OPTIONS request to that hidden endpoint & checked the allow methods i got this.

Image for post
Image for post

After trying all methods one by one the GET method did something magical

Image for post
Image for post

If you notice in the hidden end-point there is an email which is my own account email & then i created another account & replaced the email in the end-point.

Image for post
Image for post

I was able to see my second account information & after further testing if I send the PUT request i was able to update the address of my 2nd account & similarly if I send a DELETE request I was able to delete the address on my 2nd account.

./Logout

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store