I’m here to share my recent finding on a website which pulls me to pen down my first post. I can not disclose the name of the company because of the Non-Disclosure Agreement(NDA). So I’ll be using target.com for references.
. . . . .
I found out that while requesting an endpoint of an API, there was a lack of access control policy(Broken Access Control), which leads me to edit/delete the work experience and educational details of any user without their permission.
What is IDOR?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
. . . . .
So, I was testing target.com from last 3 days. I found out some bugs which include Cross-site scripting, Rate limiting etc. I was not satisfied with what I had. So I start digging out for more. After an hour of searching, my eyes got stuck on a response of an API request, which was:
You can clearly see, this response includes an ‘id’ parameter (“id”:2150). This took my attention.
This response was generated because I added a work experience to the profile on target.com. The original request was:
Now I started fuzzing to that location. I tried a few things like creating a work experience of another user by adding some parameters in JSON, inside the body of the request but nothing happened.
I was about to move from this endpoint but suddenly I thought about checking the delete functionality of the work experience. I deleted the work experience on my profile and captured the request:
Now I think you have also caught that interesting parameter in that URL. The method was DELETE and URL was https://www.target.com/api/user-firm/2150.
That number(‘2150′) in the request again took my attention. Now see the response of the above request:
The response contains the status code ‘204’ No Content. Which means that the work experience was deleted successfully and there was no content at that location.
Now I created another account again followed the above steps. I added a work experience to this profile. The request was:
The response had something which again calls my previous thoughts.
Here “id”=2151 which was successor number of the previous work experience which I had created with my first account. Now I got to know that this was going uniformly. Now from the first account I again created another work experience. Now the idea was to check for IDOR vulnerability. So, I tried to delete the work experience of the 2nd account by using the request of the first account. Make sure that you remember the creation id(2150) of the first work experience.
Deletion Request from my first account was:
In the above Request, I changed the value of the id from 2150 to 2151.
The response was:
So, I had just deleted the work experience of my 2nd account with my first account. Again, I tried the same for adding educational details on the website.
Luckily, I got succeeded again.
. . . . .
I could have edited/deleted the work experience and educational details of the entire user registered on that website target.com without any permission.
- Must see the response of API endpoints with parameters.
- If some number is passing in the API then you must try to fuzz the endpoint and look for IDOR.
. . . . .
This website I had tested during my internship.
So, yes I did not get any special bounty.
Thank you for reading so far.
Hope you have learned something.
Link to my Medium Post: https://link.medium.com/OrGGhE8H15
Books which I recommend: