Hey Everyone, Last week I got invited to a private program through one of my friend Ananda Dhakal.
About the Bug
IDOR was in OWASP Top Ten — 2013 and it’s a vulnerability, which allows you to access unauthorized data due to exposed reference. Let’s move to practical scenario.
So I was testing out that program and at starting I found a normal rate limiting worth $25 😅😅 , Yeah It’s too low, I was also not happy with it.
So I started playing with requests on my burp repeater, after testing some time I didn’t get anything so I stopped and shut my mac down.
After Few Minutes I got a discord notification from admin worth $300...Guess what was that???
I was surprised and remembered that I was playing with requests, I think I had deleted it.
So I instantly went through my whole burp history and searched for delete request, Hopefully, I got It.
There was a feature On that website to add and delete team members on my account, So when I was with requests I had sent a delete request with user_id = 1, that’s why the admin account got deleted. After this, I was confirmed that I can delete anyone’s account.
I reported the bug and sent the pic. Within an hour I got my reward of $300 + 25$ For Limiting Bug. It was the fastest ever resolution in BB Carrier.
If you have questions and anything about the post you want to ask me, please contact me via twitter. I’ll have my DM open.
Guys Please Don’t Hesitate To Clap 50 Times😊
Until Next Time!
If you like my blog posts and my work, please consider checking out my “Buy me a coffee” page