InfoSec Write-ups

Home

Newsletter

About

Follow publication

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

How I uncover an IDOR led to access Private CV

Free Read

Published in

InfoSec Write-ups

3 min read3 days ago

Hello everyone! Today, I’m excited to share how I discovered an IDOR vulnerability in one of the private programs. Let’s dive right in.

I began my bug hunting routine by enumerating subdomains using the subzy tool to check for subdomain takeovers. After that, I ran waybackurls to gather URLs and proceeded to use the httpx tool to identify interesting domain titles.

During this process, I came across a domain titled “Target Test Portal.”

I immediately visited the page and noticed a signup option. Without wasting time, I signed up for an account. After confirming my account and logging in.

I noticed something interesting:The server’s response contained my email, username, and JWT token, all encoded with my user ID. Surprisingly, there were no additional protections such as secure cookies.

I created a second account to test further. Just like before, this account’s JWT token also followed the pattern of email + userID + username.

Next, I explored my profile section and noticed an option to upload a CV. Initially, I attempted various…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app

Or, continue in mobile web

Sign up with Google

Sign up with Facebook

Sign up with email

Already have an account? Sign in

Published in InfoSec Write-ups

Last published 22 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by JEETPAL

An Ethical hacker Bug hunter & Developer Connect me on social media via https://linktr.ee/jeetpal2007 query:jeetpal2007@gmail.com

Responses (1)

Write a response

What are your thoughts?

Also publish to my profile

Tiara

1 day ago

gteattt

--

Recommended from Medium

Critical IDOR on chat message (1000 USD)

Bytesnull

Critical IDOR on chat message (1000 USD)

When I was hunting on a private program, I noticed an API that was not included in their scope, so I ignored it. However, after hunting for…

Mar 4

$100-$20k worth Stored XSS Vulnerability | Hidden Methods

In

InfoSec Write-ups

by

It4chis3c

$100-$20k worth Stored XSS Vulnerability | Hidden Methods

Hidden Methods to bypass restriction to find Stored XSS in Bug Bounties

Feb 26

How i Find IDOR lead to account takeover

black_virus

How i Find IDOR lead to account takeover

Hello Hunters , Hello Cyber-Sec Community

5d ago

How I Made $300 in 5 Minutes💰

Abhijeet Kumawat

How I Made $300 in 5 Minutes💰

🚀Free Article Link

Mar 5

How I Earned $2000 Automated Bug Bounty Hunting

Rafael Cavalcante

How I Earned $2000 Automated Bug Bounty Hunting

Hi, my name is Rafael, and I’m 22 years old. Today, I’m going to share an experience where I earned $2000 by discovering a vulnerability…

4d ago

Bug Hunting Recon Guide: Find Hidden Vulnerabilities Like a Pro

In

OSINT Team

by

Monika sharma

Bug Hunting Recon Guide: Find Hidden Vulnerabilities Like a Pro

Introduction

5d ago

See more recommendations

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams