IDOR — Account Takeover

Hi Guy,

After a long time i decided to share some of my finding & contribute to this awsm community. This write up is all about the IDOR that i found in PRIVATE program that I hunting from past 1 Year.

So there is a request that update the account username–822e-0edf00549f0a` contain the following data {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000"}

so I notice 0e84b3b2-c65f-11e8–822e-0edf00549f0a is the user ID I created another account and replace the other account & able to change the first & last name of my 2nd account. But the USER-ID is hard to guess after spending the alot of time crawling the web i notice that there is a req that web send to server just to verify that if this email is registered or not the request look like this & the response look like this [{“email”:””,”id”:”0e84b3b2-c65f-11e8–822e-0edf00549f0a”}] so USER-ID problem is solved :D

I try to dig more & try to change the email i notice that the input field code is this <input type=”email” name=”email” value=”” /> so in the update account detail this is the JSON data that send to the server {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000"} i add email parm & value so that JSON data look like this {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000", “email”:””} & boom i able to change any one email which lead to Account Takeover

Without wasting time i make a good report & reported to the team and this is the response that is get from

Image for post
Image for post

and after some time the Analyst come

Image for post
Image for post

Lesson : Alway try harder :D hope you like it


Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store