How I uncover an IDOR led to access Private CV

Free Read

Hello everyone! Today, I’m excited to share how I discovered an IDOR vulnerability in one of the private programs. Let’s dive right in.

I began my bug hunting routine by enumerating subdomains using the subzy tool to check for subdomain takeovers. After that, I ran waybackurls to gather URLs and proceeded to use the httpx tool to identify interesting domain titles.

During this process, I came across a domain titled “Target Test Portal.”

I immediately visited the page and noticed a signup option. Without wasting time, I signed up for an account. After confirming my account and logging in.

I noticed something interesting:The server’s response contained my email, username, and JWT token, all encoded with my user ID. Surprisingly, there were no additional protections such as secure cookies.

I created a second account to test further. Just like before, this account’s JWT token also followed the pattern of email + userID + username.

Next, I explored my profile section and noticed an option to upload a CV. Initially, I attempted various…