IDOR + PII Leakage
Hello Hunters!!
This is Shesha Sai C.
I’m back with another write-up about the combination of IDOR with PII (Personal Identifiable Information) Leakage which lead to High Severity P2.
Let’s call this as redacted.com
After spending like half a day I came with no findings or I can say nothing interesting.
Later that day I grabbed a cup of boost and took a step back and re-calculated my tactics.
After a lot of digging found an end point which allow users to order products from redacted.com and then allow the owner to view the order and its contents which included user private information and order information (both are not same).
When I found this end-point I was surprised that the order ID was totally predictable.
I immediately started ordering products from different accounts and found the order ID pattern, then started the attack by crafting the payload with Intruder.
DAAAAMMMMNNNN!!!! The attack was successful and I was able to view the order information and personal information of other users.
There we have our WINNING BLOW….!!!!
I have opened all the requests one by one to verify the attack in which I was successful by gaining information of all other users.
The hunt completed.
Steps to Reproduce:
Visit : https://redacted.com/orders
Click on my orders -> View order
Observe that the application allows us to view the order details.
Click on View Order Status, observe that the application shows the entire order summary of user from account A.
Observe that the application URL containing an order id : https://redacted.com/order-editor/redacted.com/123456789#/
Now replace the order id value of user account B 987654321. the final URL looks like this : https://redacted.com/order-editor/redacted.com/987654321#/
Observe that the application showing user B order summary.
Click on view order status and observe that the user B entire PII data is being leaked.
Intercept the request and send this to Intruder then select the order id value and then select the attack type as “Sniper” then select attack type as “Numbers” give the value you like and start the attack.
Once the attack is complete open the requests with 200 OK response in the browser for better view.
Observe that we can now view entire order information and User information.
Timeline:
Reported on 10–12–2022
Triaged and awarded on 11–12–2022
Thank you for reading,
Let’s catch up in next write-up GTG!!
You can find me on LinkedIn