Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1)

Hello Guys!!

This is my first Blog post and i am starting with IDOR Vulnerability. In this Post you will know about many endpoints to test IDOR vulnerability! Hope you will like it.

Arbaz Hussain get invitation to test one private program and find vulnerabilities with his team mates but he was busy with his work and selected me to test that program. So i would like to thank Arbaz for sharing site and Thanks to AqeelAsif for teaching me lots of stuff from which i was able to find 21 valuable vulnerabilities in 2-days in this program 🙂 and received $3000 in CryptoCurrency!!

Recently i have conducted penetration testing of Popular Social Media Platform and Found lot of IDOR Vulnerabilities .

A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which allows attackers to manipulate these references to access unauthorized data ~ TutorialPoint

https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References


Without wasting more time i am directly going to write about vulnerabilities i have found in that program.


#1. IDOR — Deleting All Posts Of Website

When i have posted a status on my timeline and click on my post it redirects me to another page on which i was able to see my post id in URL.

So after seeing postid in url quickly i have logged in with Attacker’s Account and posted on timeline to check what i can do with this postid .

Attacker’s Post

Due to improper validation of postid parameter at Server side leads to Delete All Posts On Website Remotely using IDOR Vulnerability at Following Endpoint .

on clicking *Delete the item* Option makes following Request to the server .

Request making to Server Side

As you can see there is id parameter in POST Data values which is unique id of posts, So i tried changing value from Attacker’s postid to victim’s postid and it deleted Victim’s Post.

Victim’s Post Deleted


Again i thought if userid parameter is vulnerable and not validating at server side then i can find many IDOR’s ……And i was right !! Luckily i was able to find 12-IDOR Vulnerabilities 😉


#2. IDOR — Changing Anyone’s Profile Picture

Due to improper validation of userid at Server side leads to Change anyone’s Profile Picture Remotely using IDOR Vulnerability at Following Endpoint .

Profile of Attacker

on clicking *Browse* Option and selecting image file and Clicking Upload makes following Request to server .

Request Making To Server

As you can see there is userid parameter in POST Data values which is unique id of user , So i tried changing it to another victim account userid value and it changed Victim’s Profile Picture .

Changed Victim Profile photo with Attacker Photo

#3. IDOR — Changing Anyone’s Cover Picture

Due to improper validation of userid at Server side leads to Change anyone’s Profile Picture Remotely using IDOR Vulnerability at Following Endpoint .

Profile Of Attacker

on clicking *Browse* Option and selecting image file and Clicking Upload makes following Request to server .

Request Making To Server

 

As you can see there is userid parameter in POST Data values which is unique id of user , So again i tried changing it to another victim account userid value and it changed Victim’s Cover Picture .

Changed Victim Cover Pic with Attacker Pic

What’s next?? Any Option to Delete Profile Pic And Cover Pic? 😉


Yes!! Again i have tested IDOR to Delete “Profile Pictue” & “Cover Picture” and all was working from my side. I was able to Delete “Profile Pictue” & “Cover Picture” of every user. So without wasting time on making POC Video i have reported the issue and got quick response within hours.

11.png

“i like quick responses so i boost up myself to test this program.”

Hope you like this follow other reports here

 

About the Author

Leave a Reply

%d bloggers like this: