Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

Home

Newsletter

About

Follow publication

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Finding the hidden function led to a $300 IDOR

Hello folks 👋

Today I’m about to tell you guys a story about finding the beautiful BAC on a program so fasten your seatbelt and sit tight.

The story behind the attack is that the attacker can read the comments of the circle that the manager has removed him from. Quite interesting nah ?!

So let’s get into the attack scenario :

  1. In the first step, we create two accounts, a manager and an attacker
  2. Then we login to our manager account and make some comments. It doesn’t matter what the comment is about; we keep doing it until we see the option to view more replies.
  3. This is the key moment → We can do it if we see the view more replies option because this is a hidden function that won’t be called unless the comments have reached a certain level.
  4. After we have done that we can now invite our dear attacker to the program and make sure that the attacker account can send and receive comments in the program.
  5. As for the attacker, we keep commenting with the attacker account until we reach the magical view more replies option in the attacker account too.
  6. After inviting the attacker and commenting on his account, if we
    capture the request in the burp we see the following request going to
    the server and we send it to the repeater too.
  7. After we invited the attacker and made a comment noe from the manager account we knocked the attacker out of the account and made sure that he had no access to the account and the commenting circle
  8. Now we head back to the repeater where we captured our request and
    hold it there and if we make that request again we can see that we are
    able to send and see comments again but we are kicked out of the
    account. bingo !!
POST /xxxx/xxxxx/circleHome HTTP/1.1
Host: start.redacted.tld
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

circleHome&userAction=viewAllReplies&topicId=xxxx&circleId=xxxx

The security issue of this vulnerability is that members of the circle
might have some private messages that they don’t want anyone to see and by this issue, the attacker can the their comments.

After reporting the bug now we can relax!

X 🐦

X 🦅

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Hacking
Hacker
Security
Bug Bounty
Bug Bounty Tips
InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

55K Followers
Last published 11 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
M7arm4n
M7arm4n
Follow

Written by M7arm4n

1.2K Followers
6 Following

Maybe Hunter But absolutely a movie fan :)

Follow

Responses (4)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams