IDOR Exploit: Gaining Unauthorized Control Over Users’ Shopping Baskets
بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد
Hello,
In today’s I’ll share with you a fast scenario About an IDOR bug that i discovered in one of Bugcrowd’s private programs. This bug allowed me to [ disclose & delete & add ] products in their Basket for all users without there permission : )
REDACTED is a web store that sells a variety of products. While conducting bug bounty hunting on this target, I stumbled upon some vulnerabilities. This time, i focused to test IDOR in All Functions After some time i found a one.
Before purchasing any product, users can add items to their shopping basket. During my testing, I identified an IDOR vulnerability that allowed an attacker to delete items from a victim’s shopping basket without their consent.
- Intercept the Delete Request for this Product
- Replace the attacker’s [basketId — itemId] with the Victim’s [basketId — itemId].
But it’s very hard for the program to accept, How the Attacker will get Victim’s [basketId — itemId] ?
-> attacker maybe bruteforce itemId but basketId it’s impossible
So I decided to find a way to obtain the basketId
After Some Searching i discovered a GraphQL Request that retrived the basketId and itemId
In the Request have [Cookie — basketId] to check of the user
- basketId -> I don’t know but after some thinking
I tried to remove it but got 400 bad request
i replaced basketId value with null and the surprise it’s worked if i put any value in basketId like (null,test,1 ,etc…)
Every Request give me another basketId
This discovery revealed that the server did not check the user’s cookie for the basketId.
Cookie -> Not Checking
Now we have the answer of the question Victim’s [basketId — itemId]
I can delete items from a victim’s shopping basket
the weird here after delete any items from a victim’s basket my products have been added to victim’s basket. it’s like a bonus XD:)
let’s Report it…
That’s all for today. I hope you all enjoyed it and learned something new
My all links Here
