Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

Mastodon
InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Budget Change: IDOR 1000$ Bug

Abhi Sharma
InfoSec Write-ups
Published in
3 min readOct 29, 2023

--

Discover how an IDOR vulnerability allowed unauthorized budget changes in Private Program. Learn the steps to reproduce this security flaw and its potential impact on user privacy.

IDOR vulnerabilities can potentially expose user data or allow unauthorized access to sensitive features. In this blog post, I’ll walk you through a recent discovery I made while testing Examlent.com(virtual name of privat program domain), a platform where individuals seek job opportunities and employers find potential candidates. This IDOR flaw had the potential to compromise user privacy by letting an attacker manipulate a user’s budget without their consent.

The IDOR Bug

As a bug bounty hunter, my mission was to explore Examlent.com for any potential security vulnerabilities. During my testing, I discover an intriguing IDOR (Insecure Direct Object Reference) bug that allowed any user to change another user’s budget without taking over their account. The endpoint responsible for this flaw was /employers/posts/ajax/action-crud-job.php?country=us&language=en&hid=------.

Steps to Reproduce

  1. Prepare Two Accounts: You’ll need two different accounts for this test — one as the attacker and the other as the victim.
  2. Capture the Edit Budget Request: Use your attacker account to capture the “Edit Budget” request made by the victim.
  3. Identify the hid= Value: Now, you may be wondering how the attacker can obtain the `hid=` value. Well, in this scenario, the attacker is conducting a random attack because here the hid has only 8 char long. They can attempt to brute force random id values.
  4. Send the Request: With the “Edit Budget” request and the hid= value in hand, the attacker can now send the request.
  5. Observe the Change: As a result, you’ll notice that the budget of the victim’s account has been altered without their consent.

The Impact

The unauthorized budget change not only compromises user privacy but also potentially results in financial losses, creating significant repercussions for both the victims and the platform’s integrity.

The Bounty

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 22 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Abhi Sharma
Abhi Sharma
Follow

Written by Abhi Sharma

1.7K Followers
1 Following

Cybersecurity Consultant | Pentester | Bug Bounty Hunter | ContentWriter 🔗 Connect with me on https://twitter.com/a13h1_ and https://www.linkedin.com/in/a13h1/

Follow

Responses (4)

Write a response

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech