Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Finding the hidden function led to a $300 IDOR

M7arm4n
InfoSec Write-ups
Published in
3 min readMar 19, 2024

Hello folks 👋

Today I’m about to tell you guys a story about finding the beautiful BAC on a program so fasten your seatbelt and sit tight.

The story behind the attack is that the attacker can read the comments of the circle that the manager has removed him from. Quite interesting nah ?!

So let’s get into the attack scenario :

  1. In the first step, we create two accounts, a manager and an attacker
  2. Then we login to our manager account and make some comments. It doesn’t matter what the comment is about; we keep doing it until we see the option to view more replies.
  3. This is the key moment → We can do it if we see the view more replies option because this is a hidden function that won’t be called unless the comments have reached a certain level.
  4. After we have done that we can now invite our dear attacker to the program and make sure that the attacker account can send and receive comments in the program.
  5. As for the attacker, we keep commenting with the attacker account until we reach the magical view more replies option in the attacker account too.
  6. After inviting the attacker and commenting on his account, if we
    capture the request in the burp we see the following request going to
    the server and we send it to the repeater too.
  7. After we invited the attacker and made a comment noe from the manager account we knocked the attacker out of the account and made sure that he had no access to the account and the commenting circle
  8. Now we head back to the repeater where we captured our request and
    hold it there and if we make that request again we can see that we are
    able to send and see comments again but we are kicked out of the
    account. bingo !!
POST /xxxx/xxxxx/circleHome HTTP/1.1
Host: start.redacted.tld
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

circleHome&userAction=viewAllReplies&topicId=xxxx&circleId=xxxx

The security issue of this vulnerability is that members of the circle
might have some private messages that they don’t want anyone to see and by this issue, the attacker can the their comments.

After reporting the bug now we can relax!

X 🐦

X 🦅

Hacking
Hacker
Security
Bug Bounty
Bug Bounty Tips

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

56K Followers
Last published 16 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
M7arm4n
M7arm4n
Follow

Written by M7arm4n

1.2K Followers
6 Following

Maybe Hunter But absolutely a movie fan :)

Follow

Responses (4)

Write a response

What are your thoughts?

aminsec

Mar 19, 2024

Nice catch.
How much it took to find that?

--

AbhirupKonwar

Dec 8, 2024

Great writeup!

--

Frontier

Aug 21, 2024

Showww!!!

--

More from M7arm4n and InfoSec Write-ups

See all from M7arm4n
See all from InfoSec Write-ups

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams