Gone in a Click: IDOR Vulnerabilities in Image Upload Function
Greetings, fellow cybersecurity researchers! I’m Rootxyash, a passionate security researcher and an unwavering part-time bug bounty hunter. So this marks my third writeup of bug bounty since I embarked on this thrilling journey of bug bounty in 2022. As time passes, 2023 proves to be a bit more demanding for me with ongoing studies in Engineering, but rest assured, whenever a fleeting moment of time allows I love to discover vulnerabilities for fun and profit & to make the digital world more secure.
So let’s start with our story, So what is IDOR?
Let’s see one example, considering there are two users in an application i.e. User A and User B. User-A is having a unique profile ID of 1000 and User B is having a profile ID of 1002.
In a normal scenario user A will only have access to his own profile with ID 1000 and user B will only have access to his own profile with ID 1002. But here if user A changed the profile ID to User B’s ID 1002, user A can able to access the profile of User B. This is due to Broken Access Control And Insecure Direct Object Reference. This is just a normal scenario stating small info about IDOR.
Mostly I do hunting on weekends so while hunting on one program let’s consider the program as a redacted.com so while hunting on a platform within a three hours I got 3–4 IDOR vulnerabilities with full account takeover (Regarding account takeover I will write about it later in detail). Let’s see how was the approach in discovering it, so after creating the account I started looking for vulnerabilities while going through the website features and functionalities.
I found various other issues like XSS, password reset poisoning, business logic flaws, etc. After some time, I thought, why not check JavaScript files? So I instantly inspected the page and began searching for JS files. After some time, I found one JS file having some interesting things.
As you can see the following JavaScript code is responsible for handling the “deletion of image” & “displaying the current profile image of the user” using the dropzone.js library, as well as interacting with a server using AJAX requests. There is one interesting line /image/delete/66 it means if the file was newly uploaded it sends an AJAX request to delete the file on the server using the URL /image/delete/66 (with 66 being the user's ID). I went to the profile section & instantly captured the preview request of an image in Burpsuite.
I changed the request from /get_profile_img/40to /image/delete/39 for 39 User and sent the request.
And as you can see I was successfully able to delete the profile image of the 39th user which means now I can delete the image of any user present on the platform just by changing the user ID. I can easily do that using the intruder in Burpsuite.
So, this was the first IDOR for the “preview current image & image deletion endpoint”.
After this, I thought why not check the image upload endpoint as well and try to abuse it? I instantly went to the image upload endpoint and captured the request by uploading an image for the user with ID 40.
I changed the request from /image_upload/40to /image_upload/39 for 39th user and sent the request.
And, as you can see, I was successfully able to change the profile image of the 39th user. This means that I can now change the image of any user present on the platform by replacing the ID.
After reporting these two issues I still tried to abuse the image upload functionality and found one more vulnerable endpoint.
When we upload any image on the platform, it takes seconds of time to upload, and we can even cancel the uploading of the image within that time frame.
I tried to capture the request for this endpoint and thought that this one could also be exploitable. And yes, it was indeed vulnerable to IDOR.
Here, we only need to replace the file name of the image with the victim’s file name, and that’s all. We can delete the profile image of any user present on the platform.
I changed the file name from endpoint.pngto /1_1690351316.jpeg which is the image file name of user 39. Interestingly, changing the user ID isn’t necessary to delete an image from this endpoint. We can easily delete profile images of any user just by knowing their image file name.
And yes, here we successfully deleted the profile image of our another testing account.
I reported these all three vulnerabilities to the developers, and they applied fixes to them within a day!
Thanks a ton for diving into this quick writeup — I really appreciate your curiosity & time. 🌟 If you have loved this little piece of writeup, don’t be shy — give it a hearty clap! 👏 Your virtual applause truly makes my digital heart to write more writeups.
I occasionally share tips and insights about Bug Bounties and related topics on my Twitter and LinkedIn handles. Follow me on these platforms to share more moments together.
My Twitter handle: https://twitter.com/rootxyash
My Instagram handle: https://instagram.com/_y.a.s.h.w.a.n.t_
My LinkedIn handle: https://www.linkedin.com/in/yash-devkate-644aa120a/
Feel free to reach out if you have any questions, thoughts, or simply want to connect. I am always here to assist and engage with like-minded individuals.
HAPPY HUNTING, SEE YOU SOON!
