Open in app

Sign in

Write

Sign in

IDOR + PII Leakage

shesha sai_c
3 min readDec 11, 2022

Hello Hunters!!

This is Shesha Sai C.

I’m back with another write-up about the combination of IDOR with PII (Personal Identifiable Information) Leakage which lead to High Severity P2.

As usual we are going to call this program as redacted.com

After spending like half a day I came with no findings or I can say nothing interesting.

Later that day I grabbed a cup of boost and took a step back and re-calculated my tactics.

After a lot of digging found an end point which allow users to order products from redacted.com and then allow the owner to view the order and its contents which included user private information and order information (both are not same).

When I found this end-point I was surprised that the order ID was totally predictable.

I immediately started ordering products from different accounts and found the order ID pattern, then started the attack by crafting the payload with Intruder.

DAAAAMMMMNNNN!!!! The attack was successful and I was able to view the order information and personal information of other users.

There we have our WINNING BLOW….!!!!

I have opened all the requests one by one to verify the attack in which I was successful by gaining information of all other users.

The hunt completed.

Steps to Reproduce:

Visit : https://redacted.com/orders

Click on my orders -> View order

Observe that the application allows us to view the order details.

Click on View Order Status, observe that the application shows the entire order summary of user from account A.

Observe that the application URL containing an order id : https://redacted.com/order-editor/redacted.com/123456789#/

Now replace the order id value of user account B 987654321. the final URL looks like this : https://redacted.com/order-editor/redacted.com/987654321#/

Observe that the application showing user B order summary.

Click on view order status and observe that the user B entire PII data is being leaked.

Intercept the request and send this to Intruder then select the order id value and then select the attack type as “Sniper” then select attack type as “Numbers” give the value you like and start the attack.

Once the attack is complete open the requests with 200 OK response in the browser for better view.

Observe that we can now view entire order information and User information.

Timeline:

Reported on 10–12–2022

Triaged and awarded on 11–12–2022

Thank you for reading,

Let’s catch up in next write-up GTG!!

You can find me on LinkedIn

Security Vulnerabilities
Bug Bounty
Hacking
Tips
Pentesting

--

--

shesha sai_c

Written by shesha sai_c

243 Followers

Ignore me, i will make you regret

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams