IDOR | My first P2 that Lead to Full PII Exposure

.بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد

In the name of God, the most gracious, the most merciful.
May Allah’s blessings and peace be upon our Prophet Muhammad.

Abstract

IDOR, or Insecure Direct Object Reference, is Not only an easy-to-find bug in the wild But also may lead to Critical Information Exposure in different contexts. If you don’t know anything about IDOR then you gotta watch Insider PhD Explains What is IDOR and How to Find it.

Affected Target

It’s a private program on Bugcrowd, and while I can’t disclose the name, we’re all familiar with the story! Let’s refer to it as ‘redacted.com’.

Before the Hunt

The website is introducing a streaming service, and while the scope is narrow and limits extensive testing and mass recon, I intend to dedicate some time to thoroughly review the documentation. This will help me familiarize myself with the business model and identify potential threat points.

After some reading and note-taking, I began creating an account to experience the website’s full features and functions, essentially becoming an end-user. Meanwhile, I’m running BurpSuite in the background, performing default scanning and crawling tasks while using the App.

Burp Suite’s History

After some time using the App as an end user, I switched back to burp for some minifying tasks and narrowed the interesting request to further focus on! BTW, I was hunting with my friend Elguerdawi and while sharing some interesting requests he found this interesting one while searching for the ‘api’ word in history:

GET /api/v1/{user_path}/user_name HTTP/2
Host: redacted.com
Cookie: session:redacted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

And it’s response was a huge JSON Object like this:

In the first place, we thinking about IDOR but we must find any sensitive information to leak first to get more impact!

I copied the JSON on VSCode for better visuals and Inspection!

Then I have found some cool Information like:
Email, Country, State, City, IsSubsribed, and other ones!

Tweaking IDs

Now, the story has come full circle. We attempted to change the IDs on our fake accounts and successfully accessed both public and private user-related data! Its have been Accepted as valid but the program considered it as P2!

Please share your feedback with me!🙂
And let’s connect on Twitter: sl4x0