Member-only story
Hacking Wishlists in an E-commerce Web App (IDOR Diaries)
If you haven’t checked other writes on the IDOR Diaries series you check below write-ups
Vulnerability
We was testing a Shopping website where we came across a wired wishlist. We were able to view private and public wishlists fo any user in the website. So the wishlist URL looked like below sample URL
https://www.xyz.com/find/wishlist.jsp#/1122A36R456/supun-default-wish-listFirst we tried removing the /supun-default-wish-list which gave us a 404 error . The URl looked like below
https://www.xyz.com/find/wishlist.jsp#/1122A36R456
Then we added “/” to the url which looked like
https://www.xyz.com/find/wishlist.jsp#/1122A36R456/It provided the results of the private wishlist of another user.
Now that we can bypass the Wishlist by adding “/” to the end of the URL. We thought to dig deeper to find an IDOR to enumerate all Wishlists.
As we saw that it has a unique ID like /1122A36R456/ we tried to find a flaw in this ID and after investigation we founded that it has a pattern. but its a weird pattern.
Here’s the ID pattern breakdown.
The ID is 1122A36R456
As shown in above figure the Static IDs remains the same and Dynamic IDs can be brute forced. (How we founded this was we created some wishlists and compared each wishlist ID and that how we founded the static IDs and Dynamic IDs)
Then we set the payloads to the Dynamic position. 1st position with 2 numbers and 2nd position with 3 numbers. and we started to bruteforce.
We Enumerated all private and public wishlists which led to expose the user’s Name, Email & Shipping Address & their wishlist products.
We reported this issue via their Bug Bounty Program and got rewarded.
Please remember to use this knowledge responsibly and comply with legal and ethical guidelines when conducting security assessments and disclosing vulnerabilities.
