Blind IDOR leads to change personal details of the company’s employees.

Harshit Sengar
Hackcura
Published in
2 min readMar 26, 2020

--

I was doing freelancing for a company. In that company, They have private dashboard for their employees, from where Employees can modify his/her personal details. Managers, HR and Chief & Officers roles can see the personal details of any employee and communicate to them but no other employees can see other employee’s personal details.

What are you thinking now?

Now all that I need, was to search Victim Employee’s ID and Here is the option where I can search the details on dashboard:

Green box where employee’s name was entered.

When I clicked on the Victim Employee’s name, then I got some details but employee’s ID(11131) was main for the exploitation.

No Employee’s personal details

I selected the modify personal details option and clicked on update button.

My personal details

I intercepted the update request and there was my employee ID on two places.

Intercepted request of update

When I changed my ID to Victim Employee’s ID (11610 -> 11131) and forwarded the request. I got a message - “Thank you for updating the details”.

When I checked the Victim Employee’s details then there were no details which I changed and even in response of changed request.

Then, to make sure of it, when I logged in Victim Employee’s account then I checked in modify personal details option.

Victim Employee’s Personal Details

And I successfully changed the Victim’s Personal Details.

Follow me on Twitter.

Thank you guys.😊

Harshit Sengar

--

--

Harshit Sengar
Hackcura

Synack Red Team Member | Cyber Security Enthusiast | Information Security Engineer | Penetration Tester