Hello everyone, Jay Jani noob here with another noobish finding. As 2k18 has started, I thought to hunt down Twitter for gaining reputation on HackerOne. I tried to find a bug on their acquisition – Mopub.com It was a quite strong site to get a single bug.
I tried to find XSS and more other bugs but No Luck 🙁
Then I tried to find IDOR but they have strong protection. I saw there was a functionality of Report where you can make a report. I quickly made 2 accounts and tried to manipulate Report ID with each other but No success 🙁
So i thought to leave the site as they are pretty strong and i could not find anything here.
But then Luckily I did check request and response in Burp and found that It was an IDOR in report functionality. All I need to do is to Capture the response of Edited Request.
The steps I need to follow to reproduce the Bug are;
PS : Some of my friends did not get this So I need to clarify. Actually there was an IDOR in Report Functionality but when you change the Report ID of Account-A with the Report ID of Account-B, the browser did not show anything and it got blank. Somehow browser did restrict it, i dont know why but in actual it got changed and Report of Account-B can be viewed by Account-A. I got the HTML response of Report of Account-B in Burp Suite's Response. SO by playing the response in original session of browser I can view the Manipulated Report.
1. Replace the Report ID with another ID
2. Do Intercept > Response to this Request
3. Request in Browser > In Original Session
4. And I was able to View anyone’s Report.
So basically this one is simple IDOR but all I want to express is “Always Have your eyes on the Response also“