参考:https://t.co/aBH0Ousz1k?amp=1
Hey guys,
I’m here to share my recent finding on a website which pulls me to pen down my first post. I can not disclose the name of the company because of the Non-Disclosure Agreement(NDA). So I’ll be using target.com for references.


TL; DR

I found out that while requesting an endpoint of an API, there was a lack of access control policy(Broken Access Control), which leads me to edit/delete the work experience and educational details of any user without their permission.


Prerequisites

What is IDOR?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.


So, I was testing target.com from last 3 days. I found out some bugs which include Cross-site scripting, Rate limiting etc. I was not satisfied with what I had. So I start digging out for more. After an hour of searching, my eyes got stuck on a response of an API request, which was:
【20200510】IDOR on API endpoints. - 图1
【20200510】IDOR on API endpoints. - 图2Work creation Response
You can clearly see, this response includes an ‘id’ parameter (“id”:2150). This took my attention.
This response was generated because I added a work experience to the profile on target.com. The original request was:
【20200510】IDOR on API endpoints. - 图3
【20200510】IDOR on API endpoints. - 图4Work creation Request
Now I started fuzzing to that location. I tried a few things like creating a work experience of another user by adding some parameters in JSON, inside the body of the request but nothing happened.
I was about to move from this endpoint but suddenly I thought about checking the delete functionality of the work experience.
I deleted the work experience on my profile and captured the request:
【20200510】IDOR on API endpoints. - 图5
Delete Request of work experience.
Now I think you have also caught that interesting parameter in that URL. The method was DELETE and URL was
https://www.target.com/api/user-firm/2150.That number(‘_2150‘) in the request again took my attention. Now see the response of the above request:
【20200510】IDOR on API endpoints. - 图6
【20200510】IDOR on API endpoints. - 图7Delete Response of work experience.
The response contains the status code ‘204’ _No Content. Which _means that the work experience was deleted successfully and there was no content at that location.
Now I created another account again followed the above steps. I added a work experience to this profile. The request was:

【20200510】IDOR on API endpoints. - 图8Request for Creating work [2nd Account]
The response had something which again calls my previous thoughts.
【20200510】IDOR on API endpoints. - 图9
【20200510】IDOR on API endpoints. - 图10Response of Creating work [2nd Account]
Here “id”=2151 which was successor number of the previous work experience which I had created with my first account. Now I got to know that this was going uniformly.
Now from the first account I again created another work experience.
Now the idea was to check for IDOR vulnerability.
So, I tried to delete the work experience of the 2nd account by using the request of the first account.
Make sure that you remember the creation id(2150) of the first work experience.
Deletion Request from my first account was:
【20200510】IDOR on API endpoints. - 图11
【20200510】IDOR on API endpoints. - 图12Deletion Request from my first account.
In the above Request, I changed the value of the id from 2150 to 2151.The response was:
【20200510】IDOR on API endpoints. - 图13
【20200510】IDOR on API endpoints. - 图14Response.
Voila!!**
So, I had just deleted the work experience of my 2nd account with my first account.
Again, I tried the same for adding educational details on the website. Luckily, I got succeeded again.


Impact

I could have edited/deleted the work experience and educational details of the entire user registered on that website target.com without any permission.

Tips:

Must see the response of API endpoints with parameters. If some number is passing in the API then you must try to fuzz the endpoint and look for IDOR.


This website I had tested during my internship.
So, yes I did not get any special bounty.
Thank you for reading so far.
Hope you have learned something.
In case you want to reach out, here’s where you can find me.
Twitter: https://twitter.com/abhiunix
Linkedin: https://linkedin.com/in/abhiunix