IDOR is Everywhere š You need to find them
Privilege Escalation, IDOR, and Access Control bugs are my favorite nowadays, I found them everywhere š¤·āāļø
Hello Folks, In this article, I will explain the IDOR on Acko.
Todayās application belongs to one of the āprivate-sector general insurance companies in India called Ackoā.
I saw someone post about their āHall of Fameā from this application. But here my aim is not to get any recognition or monetary reward, just to find only IDOR or Access Control flaws.
Note: I have not reported this vulnerability to Acko, as I donāt want any recognition or reward, and I know many times companies want a bug report but they donāt want to reward it, so I usually find bugs to improve my knowledge and skills, not to get any reward.
I recommend you please donāt hunt any bugs on google dork or self-hosted bug bounty programs especially these types of startups.
For Example - https://www.acko.tech/bug-bounty/
Most of the time this kind of company doesnāt want to reward money, they need a report, once they received it they donāt want to pay money, they will start giving excuses, you can say without any money they want to fix a bug ( Free services ). Reporting the bug to this kind of company is a complete waste of time and effort. Better hunt on Bugcrowd and Hackerone. They will reward the effort and time which you put in.
Letās get Started !! š
Firstly, during the recon phase, I observed that the application uses Cloudflare.
Then I started finding the origin IP to bypass WAF protection so that the attack surface becomes high.
I tried extracting the Origin IP and trying to Fuzz for information disclosure or sensitive file leakage. But couldnāt get anything useful.
Then I tried to load the IP in the browser so that I can perform XSS or other exploits, but unfortunately, couldnāt.
Then I tried rate-limiting bypass and other logical bugs, but nothing works.
Now comes my favorite bug IDOR. Every time my first bug in any application will be Privilege Escalations or IDOR. But here I couldnāt perform Privilege escalations as this application doesnāt have more roles.
I started hunting the IDOR this time, and here is my approach.
I visited all most all the possible APIs and try to understand the application behavior.
I found one API, which gives the user information and their bank details which they saved in their account.
Which looks like this š https://www.acko.com/authorization/api/auth/user/get?bank_details=true
The output will be in JSON format with all the details of the user profile and his bank details.
I observed that in the request there is no user ID. But sometimes developers will code in such a way that the unique identifier will be used to fetch the specific details of the user.
I searched in the burp, with common parameters w.r.t to IDOR. I found one identifier āuser-idā which is hidden somewhere in the request and looks like š
55AyzLFC53eHDdghs789gdfs:166948475759:b3ebc46cca0b4fhfc64738a5efe4c8e178e06
I quickly created another account and copied the user id of the other account and replaced it.
Surprisingly, the response!
I got the details of another user! Which is really awesome.
Here brute-forcing the user-id is not possible as it is too lengthy. But this application is still vulnerable to Cookie expiry, attacker can use this vulnerability to the chain with IDOR and get access to Bank accounts and PII Information.
If you feel this is not a security concern, drop a message in the comments.
Thatās it for this write-up.
Happy Hacking š„š„
Thanks for reading.
Please follow me for more writeups.
