One Way to Find Hidden IDOR Vulnerability
One Way to Find Hidden IDOR Vulnerability
I received an invitation for an internal project, i found an interesting vulnerability in this project.
After submitting some regularized vulnerabilities, the project seems to have no one to submit new security issues.
I started to try some WebFuzz techniques.
First i should test for sensitive information api, because vulnerabilities here are the most valuable( many bounty ).
I found one API about sensitive information -> ../getUserAuth...
HTTP Message Body as follows
{"responseData":{"userid":"user_id","login":"user_name","password":"user_password","mobilenum":"user_mobilephone_number","mobileisbound":"01","email":"user_email_address"}}
It looks really exciting !!! If I can get this information about other people based on my account, i think this is great !!!
Here is my test step ↓↓
Step 1
I see this is a GET request without any request parameters, so i need add parameters.
But where can i get parameters ???
At first i thought of using a dictionary to guess, but i didn’t get the results i wanted after trying.
Step 2
I tried to convert HTTP Response Body to HTTP Request Parameters.
So, i get these parameters (BurpSuite Plugin: https://github.com/gh0stkey/JSONandHTTPP):
mobileisbound=01 login=user_name userid=user_id password=user_password mobilenum=user_mobilephone_number email=user_email_address ../getUserAuth...?login=[Test Account B]user_name ../getUserAuth...?userid=[Test Account B]user_id ... and so on
But after trying, i also can’t get the results i want.
Step 3
I found the naming rules for other API parameters when I was about to give up.
Rule -> English capitalization
Change the parameter to uppercase with javascript:
God is taking care of people who are careful~I tried to add parameters and i found interesting results.
I successfully get the sensitive information of the account B
based on the credentials of the account A
!!!
END
- I reported the vulnerability.
- Officially confirmed that this is a critical vulnerability.
- Waited for 3 days… I was awarded ¥3,000 (RMB) bounty.
相关推荐: 基于BurpSuite快速探测越权-Authz插件
基于BurpSuite快速探测越权-Authz插件 June 27, 2019 BurpSuite - Authz 背景 在平时的测试中,会经常的碰到业务功能较多的站点,如果想全面又快速的完成逻辑越权漏洞的检测不得不借助Authz插件去辅助检测越权问题。 Au…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论