How I was able to pwned 30000+ user’s webhook

Hello Guys !!

I am writing this report after a longtime about my finding on 1 private program. I got invite with one of private program(ex: xyz.com) on hackerone .

After looking into complete functionality of web application , i get to know that they have webhook functionality.

What is Webhooks?

A webhook (also called a web callback or HTTP push API) is a way for an app to provide other applications with real-time information. A webhook delivers data to other applications as it happens, meaning you get data immediately.

A web application implementing WebHooks will POST a message to a URL when certain things happen. WebHooks are a way to receive valuable information when it happens, rather than continually polling for that data and receiving nothing valuable most of the time.

After looking into webhook functionality in xyz application , which feature is used to add notification for all branches (CI/CD), where some ID (ex: 1588211) is generating in sequence on every different webhook.

Actually it was old target , still i tried to check for IDOR vulnerability as ID was generated for each webhooks and that was in sequence.

What is IDOR Vulnerability?

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. if you want to know more on this refer here : IDOR vulnerability

There is option to delete created webhooks for that user. which request looks like below

PUT /projects/322335/notifications HTTP/1.1 
Host: xyz.com
Connection: close
Content-Length: 388
{"authenticity_token":"test","notification":{"notifier":"deletewebhook","branch":"admin","build_owner":"all",{"webhook_url":"https://1"},"enabled":false,"id":1588211,"description":"admin""}}

Now , we already know that ID in request body is incremental , so i created 1 more account and create few webhooks. so , by changing ID in above delete request i was able to delete another user’s webhook.

As this number is in sequence , attacker can just run burp intruder for $ID$ and can delete all user’s webhook running on. I was like wtf!!!!!!

Team replied within a day ,

Team fixed this issue within 2 days.

Thanks for reading guys , I always believed that sharing is caring. Hope You liked this finding. Many more are coming. Stay tuned. feel free to comment if you have any question , or shoot me DM in twitter (twitter.com/vis_hacker )