Blind IDOR leads to change personal details of the company’s employees.
I was doing freelancing for a company. In that company, They have private dashboard for their employees, from where Employees can modify his/her personal details. Managers, HR and Chief & Officers roles can see the personal details of any employee and communicate to them but no other employees can see other employee’s personal details.
What are you thinking now?
Now all that I need, was to search Victim Employee’s ID and Here is the option where I can search the details on dashboard:
When I clicked on the Victim Employee’s name, then I got some details but employee’s ID(11131) was main for the exploitation.
I selected the modify personal details option and clicked on update button.
I intercepted the update request and there was my employee ID on two places.
When I changed my ID to Victim Employee’s ID (11610 -> 11131) and forwarded the request. I got a message - “Thank you for updating the details”.
When I checked the Victim Employee’s details then there were no details which I changed and even in response of changed request.
Then, to make sure of it, when I logged in Victim Employee’s account then I checked in modify personal details option.
And I successfully changed the Victim’s Personal Details.
Follow me on Twitter.
Thank you guys.😊
Harshit Sengar
