Account Takeover via IDOR

IDOR occurs when a user supplied input is unvalidated and direct access to the object requested is provided.

Image : https://vickieli.medium.com/intro-to-idor-9048453a3e5d

The Scenario

The target application I was working on had proper input validation in place and I was heading dead end with all my testcases. So, I decided to concentrate on business logic issues and authorization related vulnerabilities — well, user profile section was the right choice to begin with. The application had update profile section which was passing a bunch of parameters in its JSON request format (whoaaa!!) — this functionality lead to a series of vulnerabilities later.

• The POST request had few ID parameters with values of user in JSON format— ID and UserID. Changing both these parameter values to the choice of mine allowed to change the details of user associated user id I provided. However, I wasn’t sure if this is updating the user of my choice. I noticed other parameters in the JSON request- SendEmailNotification, ResetPassword which was set to false by default. Changing these values to true allowed me to get email notification along with the username and reset password in clear text. Bang!! I can login with user credentials received via email with the associated user id values I request with. Updating Email ID field in the JSON request made it even worse as the user would never be able to recover their password via forgot password functionality — I can just run intruder to get all the valid user ID’s which could have resulted in complete Account takeover!! how cool is that 💁🏻
• Additionally, JSON Request also had RoleID parameter when tampered allowed me to gain privileges of admin account. 😎

Hope you enjoyed reading!