2 Idors allowed me to uplaod , modify and see victim’s Data

0xBen
2 min readFeb 2, 2025

--

I’m Abdelrahman Saad Aka ‘BenSaad’, a penetration tester , Bug Hunter and I prefer testing applications without relying on automation or tools, as it allows me to deeply understand the application’s logic and uncover flaws that automated scanners might miss. In this write-up, I’ll share how I identified two Insecure Direct Object Reference (IDOR) vulnerabilities that allowed me to upload documents to a victim’s account and access their sensitive data!

First i like to starting with simple dork `site:*.example.com ”choose file” `

Then i came across a subdomain let’s call it talent.example.com :

A form to upload your resume!!!

I opened Burp Suite, started browsing, and filled out the form

I checked my burp history and i found this endpoint :

POST /api/users/attach-document

There was a parameter called sessionId, which I replaced with userId.

This is a victim’s id After i changed sessionId to userId

Forwarded the request after modifying the userId ,

The Resume gets uploaded to the victim’s account

All I did was change sessionId to userId, and the website accepted my request without any errors. Then, I changed my ID to the victim's ID

Let’s see the Second Idor allowed me to edit user information :

I checked my burp history again and i found this endpoint :

PATCH /api/users/merge?…

This is an attacker’s data

Let’s see the body of the request :

This is the request before changing the `id` to victim

The following request after changed the id to victim

This request after changing the id to victim

If you found this write-up useful, follow me for more upcoming writeups on bug hunting and security testing! with my friend mahmoud azzam 🚀

Follow me

LinkedIn

Twitter

--

--

0xBen
0xBen

Written by 0xBen

Cyber Security Engineer & Researcher | CTF Player

Responses (1)