One Way to Find Hidden IDOR Vulnerability

Vulkey_Chen 2021年4月17日17:54:43gh0st_cn评论43 views1977字阅读6分35秒阅读模式
摘要

I received an invitation for an internal project, i found an interesting vulnerability in this project.


One Way to Find Hidden IDOR Vulnerability

One Way to Find Hidden IDOR Vulnerability

I received an invitation for an internal project, i found an interesting vulnerability in this project.

After submitting some regularized vulnerabilities, the project seems to have no one to submit new security issues.

I started to try some WebFuzz techniques.

First i should test for sensitive information api, because vulnerabilities here are the most valuable( many bounty One Way to Find Hidden IDOR Vulnerability ).

I found one API about sensitive information -> ../getUserAuth...

One Way to Find Hidden IDOR Vulnerability

HTTP Message Body as follows

{"responseData":{"userid":"user_id","login":"user_name","password":"user_password","mobilenum":"user_mobilephone_number","mobileisbound":"01","email":"user_email_address"}} 

It looks really exciting !!! If I can get this information about other people based on my account, i think this is great !!!

Here is my test step ↓↓

Step 1

I see this is a GET request without any request parameters, so i need add parameters.

But where can i get parameters ???

At first i thought of using a dictionary to guess, but i didn’t get the results i wanted after trying.

Step 2

I tried to convert HTTP Response Body to HTTP Request Parameters.

So, i get these parameters (BurpSuite Plugin: https://github.com/gh0stkey/JSONandHTTPP):

One Way to Find Hidden IDOR Vulnerability

mobileisbound=01 login=user_name userid=user_id password=user_password mobilenum=user_mobilephone_number email=user_email_address  ../getUserAuth...?login=[Test Account B]user_name ../getUserAuth...?userid=[Test Account B]user_id ... and so on 

But after trying, i also can’t get the results i want.

Step 3

I found the naming rules for other API parameters when I was about to give up.

Rule -> English capitalization

Change the parameter to uppercase with javascript:

One Way to Find Hidden IDOR Vulnerability

God is taking care of people who are careful~I tried to add parameters and i found interesting results.

One Way to Find Hidden IDOR Vulnerability

I successfully get the sensitive information of the account B based on the credentials of the account A !!!

END

  1. I reported the vulnerability.
  2. Officially confirmed that this is a critical vulnerability.
  3. Waited for 3 days… I was awarded ¥3,000 (RMB) bounty.
<< · Index · >>

相关推荐: 基于BurpSuite快速探测越权-Authz插件

基于BurpSuite快速探测越权-Authz插件 June 27, 2019 BurpSuite - Authz 背景 在平时的测试中,会经常的碰到业务功能较多的站点,如果想全面又快速的完成逻辑越权漏洞的检测不得不借助Authz插件去辅助检测越权问题。 Au…

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
Vulkey_Chen
  • 本文由 发表于 2021年4月17日17:54:43
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  One Way to Find Hidden IDOR Vulnerability http://cn-sec.com/archives/337232.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: