The Great Photo Heist: IDOR Vulnerability Strikes Again
بسم الله الرحمن الرحيم
Hi every one am back again with another bug i found it while i hunt in private program at hacker one and i can’t say the program name so let’s give you summarize and dive into the details
Summary:
This writeup describes an Insecure Direct Object Reference (IDOR) vulnerability discovered in a shopping site’s partner .
The vulnerability allows attackers to potentially download any uploaded photo on the server, including business licenses, institutional premises photos, and proof of student enrollment.
Details
I have choose shopping site to search for bugs on it let say the site is <https://service.target.com>
and this service’s site allow you to register as partner and after registrations and verification your email and phone number there is tap call Settlement related
and in this category there My entry
in this tap you need apply for admission and get approval and in the apply for admission
there Settlement
and have many types
- Operation Service
- School enterprise cooperation training services
- Software Services
- Live streaming service
- …etc
let’s choose Operation service
as start attack point :
and after fill all blank field and in the Business license photo i have put square in the screen shot and this the vulnerable place .
so after i have submit my application and back to My entry
tap thinking what if the download function where i have upload the photo's is vulnerable to IDOR
Than i go to edit operate
and i scroll down and found that i can download the Business license photo
than i click download and intercept the request in burp suite and sent it to Repeater
to check possibility of the IDOR
Than i start guessing the number i start with number 1 and surprise the IDOR
is possible and i can download all photo’s that uploaded in the server .
Remediation
The target service should implement robust access control mechanisms to prevent unauthorized access to uploaded photos.
Thank you for reading. If you have any questions , feel free to ping me on X , or LinkedIn.