($$$) IDOR via GET Request which can SOLD all User Products

Aidil Arief
2 min readMar 8, 2022

--

Hi everyone,

In this article I want to share my findings on a Private Program at Hackerone which is very unique.

Let’s take a minute to take a look at this :)

When I was hunting on a private program on Hackerone, I came across a scope of https://redacted.com/. And that site is a Market site.

Note:
The scope of my program is kept secret with the word “Redacted

On that site I tried to see first the flow of how the application processes the request. And after I understand, then start to do bug hunting.

And there is something unique here, where the application processes data via GET and not POST.

This is probably normal, and if you are an API tester you might think this is unique.

The findings are requests where when the attacker makes a request to “SOLD” the product.

Here’s a snippet of the request:

GET /product?product_Id=125&user_Id=1338&Access=sold HTTP/2
Host: www.redacted.com
Cookie: *******
User-Agent: *******
Referer: https://www.redacted.com/product?product_id=125
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

Let’s describe the request:

  1. product_Id

Where the request requires a product_Id to identify the request.

2. user_Id

This parameter is needed to identify the rightful owner of the product requested in the request.

3. Access

In this parameter to identify what requests made by the user.

If so, let’s do some testing on this feature :)

First, I definitely made 2 accounts with each different browser, namely as Attacker and Victim

Then create a Product there with those 2 accounts.

Here’s a snippet of the product URL:

a. Attacker

https://www.redacted.com/product?product_Id=125

b. Victim

https://www.redacted.com/product?product_Id=123

Now let’s open an Attacker account, and capture requests when the attacker “SOLD” the attacker’s product.

Here’s the request:

GET /product?product_Id=123&user_Id=1337&Access=sold HTTP/2
Host: www.redacted.com
Cookie: *******
User-Agent: *******
Referer: https://www.redacted.com/product?product_id=125
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

Next, replace the valid product_Id & user_Id parameters belonging to Victim
And see it works.

Timeline :

Report : Mar 1th, 2022

Fix : Mar 8th, 2022

Bounty : $$$

--

--

Aidil Arief

Keep to secure the internet