How Source code reading helped me find an IDOR

Hey fellow hackers,

I Hope everyone is doing great in this crucial times ( COVID – 19 ).I am back with yet an another recent finding of mine.

It was around 1AM in the night and I was not feeling sleepy.Besides, I have never known any Bughunter who fall asleep at 1 AM lol! We bughunters never sleep 😛 ( Atleast I don’t )

Now coming back to work, this report is not disclosed. So,let us assume the website name as https://www.example.com.

This is again some kind of an e-commerce website.As I previously told in my other blog posts, before doing anything, I sign up and I first spend sometime in browsing entire website to get some knowledge about it.

I did the same with this one.Spent around 15 minutes, I couldn’t find any common vulnerabilities like , sensitive info leak through external links, login pages which are hosted on HTTP but not HTTPS etc.

Note: If you haven’t read my other post regarding sensitive info leak through external links, this is the time to read it or you can read it after reading this one.

So, after initial analysis , there were no naive vulnerabilities.So, its time to fire up my Burp.

After firing Burp,I click on each link and check my HTTP history.I don’t start intercepting from the first request.I first want to know, what kind of requests, where are they going etc kind of stuff.I did the same thing that day, spent around 20-30 minutes here clicking various links bla bla bla.

Click Everywhere

While doing this, I found something interesting on my profile page.

So, basically there were some links of my profile page like , orders,address etc. and the request was like below.

POST /php/filter_user_tab_content.php HTTP/1.1`
Host: www.example.com`
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 92
Connection: close
Cookie: XXXXXXXXXXXXX


user_id=1234&tab=address

After looking at the above request, what do you thing? Anything juicy?

Obvioulsy, many would think ,used_id parameter.I did the same.Fired up my intruder and started bruteforcing the user_id parameter.

and I saw bunch of 200 OK. I was like….

Yesss

I immediately, checked on one of the request and all I see are empty responses.All of them are empty except mine.

There is nothing in the response

Well , thats fine, Bughunters don’t give up!.

I tried doing the same with other links like address,orders etc.

The request for orders was like this:

POST /php/filter_user_tab_content.php HTTP/1.1`
Host: www.example.com`
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 92
Connection: close
Cookie: XXXXXXXXXXXXX


user_id=1234&tab=orders

Same thing for address link, just the tab parameter change

user_id=1234&tab=address

I quickly ran intruder on both these requests,annndddddd – Empty responses again.

Empty responses again!

It was around 3 AM and I was feeling sleepy.But I don’t wanna give up.

Then I shifted my interest towards tab parameter.My initial thought was like this, What are all the names that can go into tab parameter?

From the profile page, I already know that , it can have , orders,address,credit cards etc but none of them are vulnerable.

So, I went into the source code of the page.While I was going through, I saw this attribute called data.It contained nothing but all the names for tab parameter like orders,address,credit card etc. Refer to the code below.

<a href="x" data="orders">orders</a>
<a href="x" data="address">address</a>
....

So, now its confirmed that, whatever was in data attribute ,can go into my tab parameter in the request.I started scrolling and wait!!!!!!! What was that???

<a href="x" data="orders">orders</a>
<a href="x" data="address">address</a>
....
....
....
....
....
<!-- //commented
<a href="x" data="secret">secret</a>
-->

I saw a data attribute code, but that part of the code was commented out.It was also no where linked to the profile page UI.It has a value secret.

So,I thought, may be they didn’t filter this secret thing yet and is still under development.Why not bruteforce tab parameter with this name now?

Go intruder go!

POST /php/filter_user_tab_content.php HTTP/1.1`
Host: www.example.com`
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 92
Connection: close
Cookie: XXXXXXXXXXXXX

user_id=1234&tab=secret

Quickly changes the tab parameter to secret and ran it.I see the same 200 OK responses but this time it is not empty.YAYYYYYYY!

and they had sensitive data as well! I was like,

Finally!

Quickly made a report, Sent it to the program and waited.

After few hours, I got a response saying, Its ACCEPTED! and awarded me a bounty as well!

You know what they asked me? They asked me, how come I found this endpoint with this parameter name as it was no where in the UI. Its RECON!

Submitted on That day!
Resolved on That day!
Bounty awarded on That day!

Hope you enjoyed this write up.I will be back with another post very soon!

Also, there is some very special post on JUNE 23rd. Stay tuned for it!!! Its very special!!

You can always support me through Paypal!
>>paypal.me/icodechannel<<

Leave a Reply

Your email address will not be published. Required fields are marked *