How I was able to pwned 30000+ user’s webhook

Gujjuboy10x00
Mar 14, 2019 · 3 min read

Hello Guys !!

I am writing this report after a longtime about my finding on 1 private program. I got invite with one of private program(ex: xyz.com) on hackerone .

After looking into complete functionality of web application , i get to know that they have webhook functionality.

What is Webhooks?

A webhook (also called a web callback or HTTP push API) is a way for an app to provide other applications with real-time information. A webhook delivers data to other applications as it happens, meaning you get data immediately.

A web application implementing WebHooks will POST a message to a URL when certain things happen. WebHooks are a way to receive valuable information when it happens, rather than continually polling for that data and receiving nothing valuable most of the time.

After looking into webhook functionality in xyz application , which feature is used to add notification for all branches (CI/CD), where some ID (ex: 1588211) is generating in sequence on every different webhook.

Actually it was old target , still i tried to check for IDOR vulnerability as ID was generated for each webhooks and that was in sequence.

What is IDOR Vulnerability?

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. if you want to know more on this refer here : IDOR vulnerability

There is option to delete created webhooks for that user. which request looks like below

PUT /projects/322335/notifications HTTP/1.1 
Host: xyz.com
Connection: close
Content-Length: 388
{"authenticity_token":"test","notification":{"notifier":"deletewebhook","branch":"admin","build_owner":"all",{"webhook_url":"https://1"},"enabled":false,"id":1588211,"description":"admin""}}

Now , we already know that ID in request body is incremental , so i created 1 more account and create few webhooks. so , by changing ID in above delete request i was able to delete another user’s webhook.

As this number is in sequence , attacker can just run burp intruder for $ID$ and can delete all user’s webhook running on. I was like wtf!!!!!!

Team replied within a day ,

Team fixed this issue within 2 days.

Thanks for reading guys , I always believed that sharing is caring. Hope You liked this finding. Many more are coming. Stay tuned. feel free to comment if you have any question , or shoot me DM in twitter (twitter.com/vis_hacker )

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store