20K INR — IDOR to Account Takeover 🔥🔥
I found this bug in one of the Indian startup companies, where the application is exposing the User-ID in the change password functionalities.
Hello Folks, In this article I will explain one of my IDOR to account takeover bugs.
What is IDOR ??
The insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.
IDOR is one of my favorite bugs, which I look at on all most all the applications.
But in this article, I will gonna explain my first IDOR → Account Takeover.
Let's get Started !! 😉
I was browsing the application and found many issues, and after a certain period of time, I just want to check the password change functionality.
Firstly, I tried response manipulation while changing the password, and unluckily it didn’t work!!
Then, I entered the new password and current password to check what is happening behind the API call.
As usual, I intercepted the request while changing the password and this time I observed the User-ID which is sending in the POST request while updating the password 👇
Immediately, I created another account and again Intercepted the request from there I copied the User ID of that account, and finally replaced it with the previous account ID.
It is really unexpected….!!
Woooowww
Finally, I did it.
I can able to update the password of another user, and in the pen-testing world, we call this an IDOR to account takeover.
That’s really cool.
That’s it for this write-up.
Happy Hacking 🥂🥂
Thanks for reading.
Please follow me for more writeups.
