The Hidden IDOR That Took Down Redirected.com š¤Æ
Ah, IDOR vulnerabilities ā what are they good for? Unauthorized access to someone elseās to-do list? Meh, boring. But what if I told you that an IDOR could lead to complete domination of an entire web app? š Buckle up, because today, Iām going to take you on a wild ride through an IDOR vulnerability that snowballed into full-blown ownership of Redirected.com (totally a real app, I swear! š). If youāre thinking āIDORs are easy!ā ā well, think again.
Phase 1: The Gateway to Chaos
So, there I was, casually testing Redirected.com, a massive SaaS platform handling user accounts, roles, and admin features. Everything seemed tightā¦ until I stumbled upon an innocent-looking endpoint:
/account/modify/<uuid>/transfer
This endpoint was meant to allow admins to transfer accounts between users. Exceptā¦ something smelled fishy š (and not the good sushi kind). It turns out, the API didnāt strictly enforce access control checks. Like, at all. š¤¦āāļø
The First Sign of Trouble: Metadata Galore
Time to poke around! I crafted a request to transfer an adminās account to my lowly user account. But Redirected.comās server responded with an error. At first, I thought, āPfft, this app is smarter than I thought.ā
But thenā¦ š” I realized the error response was leaking sensitive metadata ā specifically, internal role IDs and account UUIDs of admin users! These juicy tidbits were about to become my golden ticket šļø.
Phase 2: The Role Swap That Shouldnāt Be Possible
Using the leaked metadata, I found an orphaned endpoint /role/modify/<uuid>. This endpoint should have required strict permissions for role modification. But surprise! The developers never actually put those checks in place. š¬
Now, I didnāt just want access to another userās account ā I wanted admin privileges! š¼ So, I tweaked the request to modify the adminās role andā¦ š BAM! My user account was now sporting shiny new admin rights. I was living the dream! (Well, at least the hackerās dream.)
Phase 3: Session Fixation FTW
At this point, I was feeling pretty powerful. But, like any responsible hacker, I knew admin privileges werenāt enough. What if they revoked my access? š± Not on my watch!
The app had a critical flaw: session fixation. This allowed me to lock my session in place before authentication even happened. It was like getting the keys to the adminās mansion š° and changing all the locks. Even if they figured out something was wrong, they couldnāt kick me out. Cue evil laughter š¦¹āāļø.
Phase 4: SSO ā The Achillesā Heel
But wait, thereās more! Redirected.com used Single Sign-On (SSO), and I was curious: Could I break in even further? š¤ (Of course I could!)
Hereās where it gets juicy š: The SSO trusted user-provided tokens without actually verifying them with the Identity Provider (IDP). Whoops. Now, using my newly acquired admin access, I forged an SSO token that let me impersonate the super-admin ā basically the god of all accounts. š©
In doing so, I gained access to the entire platform, including settings, user data, and admin privileges galore. If I wanted, I couldāve turned off the whole siteā¦ but thatās just mean. š
Conclusion: How an Innocent IDOR Escalated Into Full-On App Takeover šØ
Most people think of IDORs as harmless little flaws that maybe let you peek at someone elseās data. But this saga shows that an IDOR ā when combined with metadata leaks, orphaned endpoints, session fixation, and SSO misconfigurations ā can lead to total system compromise. š
So, what have we learned?
- Always validate permissions server-side. š
- Never assume UUIDs make you invulnerable. š§©
- Fix your session fixation issues, seriously. š ļø
- Test your SSO like your life depends on it. ā ļø
Because if you donāt, someone like me might come along, chain these flaws together, and own your entire platform. š„
Happy Hacking, Cheers š»š»
