Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

How I uncover an IDOR led to access Private CV

Free Read

JEETPAL
InfoSec Write-ups
Published in
3 min readMar 11, 2025

--

Hello everyone! Today, I’m excited to share how I discovered an IDOR vulnerability in one of the private programs. Let’s dive right in.

I began my bug hunting routine by enumerating subdomains using the subzy tool to check for subdomain takeovers. After that, I ran waybackurls to gather URLs and proceeded to use the httpx tool to identify interesting domain titles.

During this process, I came across a domain titled “Target Test Portal.”

I immediately visited the page and noticed a signup option. Without wasting time, I signed up for an account. After confirming my account and logging in.

I noticed something interesting:The server’s response contained my email, username, and JWT token, all encoded with my user ID. Surprisingly, there were no additional protections such as secure cookies.

I created a second account to test further. Just like before, this account’s JWT token also followed the pattern of email + userID + username.

Next, I explored my profile section and noticed an option to upload a CV. Initially, I attempted various file upload vulnerabilities, but none succeeded. So, I left a file uploaded for further testing.

Later, I discovered a CV download endpoint. This endpoint relied solely on the Authorization header. After about 30 minutes of testing, I realized this token was the same JWT token issued after login.

I attempted replacing the Authorization token with the one from my second account. As expected, I successfully downloaded the CV from the second account — but this alone wasn’t impactful enough to qualify as a bug since it required the Authorization JWT token so I left this for a while and

When reviewing my collected waybackurls, I noticed that several URLs had exposed JWT tokens. Since the user ID was only three digits long, I decided to brute-force it. By iterating through different JWT tokens in the Authorization header, I successfully accessed 458 CVs without the owners' permission.

so I document my finding and reported it to team (Just an hour ago)

Also, stay tuned for an upcoming live hunt — don’t miss it! 🔥

Stay secure, and happy auditing! 🕵️‍♂️💻

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

56K Followers
Last published 15 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
JEETPAL
JEETPAL
Follow

Written by JEETPAL

1.8K Followers
0 Following

An Ethical hacker Bug hunter & Developer Connect me on social media via https://linktr.ee/jeetpal2007 query:jeetpal2007@gmail.com

Follow

Responses (4)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech