I’m Abdelrahman Saad Aka ‘BenSaad’, a penetration tester , Bug Hunter and I prefer testing applications without relying on automation or tools, as it allows me to deeply understand the application’s logic and uncover flaws that automated scanners might miss. In this write-up, I’ll share how I identified two Insecure Direct Object Reference (IDOR) vulnerabilities that allowed me to upload documents to a victim’s account and access their sensitive data!
First i like to starting with simple dork `site:*.example.com ”choose file” `
Then i came across a subdomain let’s call it talent.example.com :
I opened Burp Suite, started browsing, and filled out the form
I checked my burp history and i found this endpoint :
POST /api/users/attach-document
There was a parameter called sessionId, which I replaced with userId.
Forwarded the request after modifying the userId ,
The Resume gets uploaded to the victim’s account
All I did was change sessionId to userId, and the website accepted my request without any errors. Then, I changed my ID to the victim's ID
Let’s see the Second Idor allowed me to edit user information :
I checked my burp history again and i found this endpoint :
PATCH /api/users/merge?…
Let’s see the body of the request :
The following request after changed the id to victim
If you found this write-up useful, follow me for more upcoming writeups on bug hunting and security testing! with my friend mahmoud azzam 🚀
Follow me
