A simple IDOR worth $400.
In this blog post, I will tell you about my simple but effective story of finding the IDOR vulnerability.
Domain:target.com
First of all, I want to talk about the program. The target program was a shopping website. It was a little difficult to decide to hunt in this program that has been active for about 2 years. I was afraid of duplicate, but I opened the target program and started browsing the target site for about 1–2 hours. I was trying to understand the logic of the website and collecting requests. I focused on this program for a day or two, but I didn’t find anything.
When there is a shopping site, I first try to order that product for free, etc. I try bussiness logics. I have tried many things here and none of them worked.
I purchased the product and while the product was in the preparation phase, I canceled the product and wanted to return it. I then caught the request. The request link looks like this:
https://www.tagert.com/return/rorderID=1123.
Yes, as you guessed, I quickly replaced it with numbers like 1122,1121 and accessed the return page of other users.
https://www.tagert.com/return/rorderID=1122
https://www.tagert.com/return/rorderID=1121
This page did not show PII information about the user, but there was an option to cancel the refund. I could cancel other users’ refund requests by changing their ID number.
I sent the report. 1 day later the report was accepted and I was awarded $400. Sometimes these endpoints can be overlooked on shopping sites. You have to make sure you test every function.
The product I wanted to buy was a black hat, but we must be a hacker with a white hat :)
For suggestions or questions, you can contact me at my linkedln address.
Good reading for everyone, stay healthy.