IDOR Vulnerability | Full Account Takover

solo
4 min readOct 21, 2020

Hey Guys!!! Today I am so excited bcoz its my first writeup and also its on my favorite bug. So I hope you guys enjoy my writeup and learn something new. Feel free to ask me anything and also suggestions are most welcome!!!

So, let me tell you first why i said my favorite bug bcoz bugs which leads to full account takeover are my favorite and I love to play with them. Whenever I do bug hunting or penetration testing first i try for every possibilities for account takeover then i move onto other findings. And yeah we are going to talk about this bug in our writeup.

So I am doing job as a penetration tester and this bug is from my project so I am not allowed to disclose it!!! So we will use www.target.com here. So its basically an eCommerce website in which you can make an account of course but here your account is your store where you can sell things. And you can also create sub-stores under your main store. You can edit your sub-stores details like name, address, password, etc from your main store account. Sub-stores are also account, thats why they have login credentials too.

Tools I used here is — Browser & BurpSuite

So while I was testing the website i noticed that they are passing customer id (account id)in plain text format in every POST request. So obviously first you should try for IDOR whenever you see something like customer id, account id, role, admin id, etc and I also tried the same. And luckily it worked!!! Yaaayyyy I found an IDOR vulnerability on sub-store create feature. Let me explain you shortly what was happening. For example my customer id is 123 and target account’s customer id is 234 so if i change my customer id in request body from 123 to 234 the i can create sub-store in 234 id’s account without any authentication.

POST /customer/account/popupregister/ HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 340
Origin: www.target.com
Connection: close
Referer: www.target.com
Cookie: __Cookies___

form_key=wEbOphAwaG1Y5adaZVD&managerid=123&customerid=&addressid=&firstname=IDOR&lastname=Test&company=IDOR+TEST1&telephone=582453&fax=&street=asdasdas&country_id=US&region_id=4&region=&city=Phoenix&postcode=85003&createuser=YES&email=idortest222%40gmail.com&pre_mobile=1&mobile=&username=NewIDOR&password=Abcd%40123&confirmation=Abcd%40123

But i was not much happy here bcoz i have already submitted 5 or 6 IDOR to them.

Next I tried on edit option for the same bug and it was also vulnerable to this. If you click on edit button then a popup window will come with details of sub-store of the given customer id even if you are not owner of that sub-store. For example if i change customer id from 123 to 234 it will popup 234 id’s account details.

I saw password field in this popup and first i thought i cant make change to other sub-store’s details since its asking for password but its a still sensitive information disclosure so I thought to submit this bug in low severity and started to write my report but wait a minute

its a password field for setting up new password and not even asking for old password!!! wait what?! Suddenly i realised that if i can make this request successfully then i can change anyone’s password!!! So I again send the request and intercepted in BurpSuite and change the customer id and got popup window with target account details now I changed the password and clicked on submit! And the result was success!!!

So Now I can change anyone’s account(store) login credential like name, password or anything and not only sub-store but I can even change on anyone’s main account too!!! So this was fully account takeover.

Now my excitement was on peak level and I was so happy that i found my favorite bug for the very first time. I quickly made the report and submitted. Yeah no bounty for this, but I am getting salary for this work haha!!!

Thanks For Reading guys!!!I still have more bug reports in pending so more writeups coming soon. Stay tuned!!! Happy Hacking | Happy Hunting

--

--

solo

Penetration Tester | Bug Bounty Hunter | Ethical Hacker |