All About Getting First Bounty with IDOR

All About Getting First Bounty with IDOR

Hello All,

In April ’20, I started reading and practising about IDOR, for the first few days it was looking hard to find IDOR vulnerability. So I went back to different practise labs to get a wider Idea about this vulnerability and various ways to exploit this vulnerability. I have practised on DVWA, bWAPP, and Portswigger Academy.

According to OWASP :

“ Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.”

Writeups and Mindmap which I followed are shared at the end of this writeup.

In this writeup I am sharing few of the scenarios which I reported to a Program. Lets say, I have created 3 users on a website which are User_1, User_2 and User_3 with the same role and permission :

Scenario #1 : There was a functionality, when a user creates a post and someone can like, comment and share that post on their profile. But while checking this functionality I noticed that the other user can only mention the author of that post in the comment and the mentioned person receives the notification of the same.

Detailed attack scenario :

1. User_1 created a post.
2. Now when User_2 comments on that post, I noticed that I can mention only author of that post which in this case is User_1.
3. So, captured the comment (comment is : Please check @User_1) request in Burp and JSON data was passing like this:
4. {“text”:”Please check @[User_1 name]”,”mentions”:[{“uid”:”random 9 digits",”key”:”User_1 name"}],”message_id”:random 9 digits}
5. in the above JSON data, the uid is of User_1 and By visiting the profile of User_3 and by doing “inspect element” on the profile picture of User_3, I can get the uid of user_3.
6. So in the JSON data, changed User_1 name to User_3 name in the both values and replaced uid of User_1 to uid of User_3.
7. Finally I was able to mention any other user in that post and the mentioned user gets notification of it.

Program rewarded me $$$ for this bug and this was my first ever bounty :D

Scenario #2 : There was a functionality to either Join a group or Create a group, after creating a group the user gets a group_code which he can share with other users and that referred user will get add in the group without approval of owner of the group.

Detailed attack scenario :

1. User_1 selects on “Create a group” and after giving a name and adding discription to the group, User_1 gets a refer_code (random 6 words eg. pgytsd) for the group.
2. Now User_2 selects to “Join a group” and enters pgytsd in the code and I captured this request.
3. So, in “Join a group” request the JSON data was passing like below :
4. {“membership”:{“access_code”:”pgytsd”}}
5. I just needed to change or bruteforce on the access_code
6. After changing the group code I was getting added into Any users group and also in the Burp response, User_2 was able to see the name and description of that group also the name and uid of the owner of that group.

Another IDOR and again I was rewarded $$$ for this bug.

#Blogs /Writeups :

• How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for Large Bounty Rewards | @Bugcrowd
• swisskyrepo/PayloadsAllTheThings
• Insecure Direct Object Reference (IDOR) - Intigriti
• IDOR Bugs are Pure Love($7k+$250)
• How critical is IDOR vulnerability? Can it take down a whole company? ~ Ninad Mathpati
• A Less Known Attack Vector, Second Order IDOR Attacks
• Everything You Need to Know About IDOR (Insecure Direct Object References)
• List of bug bounty writeups
• Insecure Direct Object Reference Prevention - OWASP Cheat Sheet Series
• How to find more IDORs

#Mindmap :

Web App Pentest

#Burp Extensions :

• Autorize
• AutoRepeater

There is a video by STÖK, which explains very well about how to use Autorize and Auto Repeater :

Special Thanks to Pratyush Anjan Sarangi and Ninad Mathpati for helping and guiding me.

As this is my first writeup, sorry if there is any mistake :D

Connect with me :

Linkedin : https://in.linkedin.com/in/m0hn1sh

Twitter : https://twitter.com/M0hn1sh

---

All About Getting First Bounty with IDOR was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.