Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2)
In this blog i have added all endpoints on which you can look for IDOR vulnerabilities. For Part 1 you can visit this Link
#6. IDOR — Comment on any post
Yes!! This time i was able to comment on any post. It doesn’t matter if it has “only-me” privacy ;)
Due to improper validation of streamid parameter at Server side leads to Comment on anyone’s Post Remotely using IDOR Vulnerability at Following Endpoint .
victim posted “anyone up who can comment here?… no one can :D” this was the biggest challenge for an attacker to comment on that post.
but Attacker was not able to see the victim’s post because it has only me privacy then how can he comment?
Commenting on post (which doesn’t have any privacy, everyone can see and comment on it) makes following Request to server.
As you can see there is streamid parameter in POST Data values which is unique id of every post , So i tried changing value of user’s-streamid which have “everyone privacy” to victim’s-streamid which have”Only-me privacy” and able to comment on victim’s post.
After finding the above IDOR vulnerability which contains “only-me” privacy, my mind click that i should try to change privacy of user’s . I tried to change privacy settings of other users but unable to change because there was a security.
As my Brother AqeelAsif always says “Where there is security There is a vulnerability” so with this attitude again i have conducted a test and able to change user’s Post Privacy ;)
#7. IDOR — Change or Control Anyone’s Post Privacy
Due to improper validation of streamid at Server side leads to Change anyone’s Post Privacy Remotely using IDOR Vulnerability at Following Endpoint
The Dev’s intention was Hacker should not be able to change Victim’s Post Privacy. Serious?? :p
On clicking *Only Me* Option makes following Request to the server .
As you can see there is Streamid parameter in POST Data values which is unique id of post .So i tried changing it to another posts streamid value
and able to Change and Control Victim’s Post Privacy.
#8. IDOR — Repost Any Post More Than One Time
Due to improper validation of postid at Server side leads to Repost any Post more than one time Remotely using IDOR Vulnerability at Following Endpoint
The developers intention was one user can repost any post only once. if user try again to repost the same post the site shows error “Unable to repost. You Have already repost the same post” . I tried to repost other post like below
On clicking *Repost* Option makes following Request to the server .
As you can see there is postid parameter in POST Data values which is unique id of post .So i tried changing it to postid value which is already reposted.
and able to Repost the same post more than one time
By following same method i was able to repost many times .
#9. Taking Privileges of blogs (Create, edit, delete etc)
Create blog from attacker account > edit blog > capture Request with burp > Change Attackers blog_id with Victims blog_id > Privilege Escalation
#10. Remove Linked Social Accounts From Any Account.
Here is the list of all endpoints on which i have reported IDOR vulnerability
After reporting all issues one by one to the website i got a quick response from CEO ;)
