Accidental IDOR

Hi guys I hope you all are doing good so this write-up is all about the accidental IDOR that I found in the PRIVATE program, so let’s assume the name redacted.com. I was checking the CSRF vulnerability in the update address functionality, the API was sending the JSON DATA to the server & there was no CSRF protection when i tried to change the content type to text/plain I got this.

An error disclosed another hidden endpoint, when i made an OPTIONS request to that hidden endpoint & checked the allow methods i got this.

After trying all methods one by one the GET method did something magical

If you notice in the hidden end-point there is an email which is my own account email & then i created another account & replaced the email in the end-point.

I was able to see my second account information & after further testing if I send the PUT request i was able to update the address of my 2nd account & similarly if I send a DELETE request I was able to delete the address on my 2nd account.

./Logout