A Simple IDOR to Account Takeover

Getting Started with IDOR, What is IDOR?

IDOR refers to Insecure Direct Object Reference which means you get access to something which is not allowed to you, or you don’t have that privilege to do that action on that web application.

So consider the program name as example.com since its a private program. I was not able to find and any issue on the main domain and I gave up after getting 3 duplicates since it was a 3 years old Private program and I was participating in it from October 2019.

Later in 2020 new year with an new vibe I blindly started searching for Vulnerabilities on the same program with a proper approach and Methodology, I refered the program scope and saw that there where few subdomains which got my attention since it was having no known Vulnerabilities so I thought it is a good chance for me to break it down.

Within two Hours I got 4 Vulnerabilities in which Account Takeover was one of them. Lets see how was the approach in discovering it, So first i tested the login page , Registration page and the Forgot password page. While testing for the forgot password I saw that when the user changes the password to a new password the Email parameter was present in the Request body along with the new password and confirm new password parameter, So I thought why not change the email to someone else’s email id and finally when i did so it gave me a full account access to the altered emails account.

Original Request:-

POST /login/internalResetPasswordSubmit?Toketoken=random_char&m=1234&nid=random_char HTTP/1.1

Host: subdomain.example.com

Headers: Etc

Cookie: all_required_cookies


Edited Request:-

POST /login/internalResetPasswordSubmit?Toketoken=random_char&m=1234&nid=random_char HTTP/1.1

Host: subdomain.example.com

Headers: Etc

Cookie: all_required_cookies


So after forwarding the Edited Request in Burp the password will get changed for the victims account and it will directly log you into the Victims Account in the Browser.

The Impact can be increased by changing the admins Account Password thus getting full access to admin account.

I Reported this at 12:30 am IST on 28th Januray

Got response from the team in the morning saying not able to replicate and asked me to takeover the test account created by them. So I wanted to reply as soon as possible and So I did the same and changed the password of the test account created by the team and edited the profile with my username for proof of concept and sent the report.

Within 5 mins the report got Triaged and the priority was set to P1

And the next day the company Rewarded me with a 4 digit $$$$ Bounty which was my First 4 digit Bounty.

Thanks for Reading

Contact : Twitter LinkedIn

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store