Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

Mastodon
InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

My $1000 Bounty Bug: How I Stopped Companies from Losing Money with an IDOR Flaw

Abhi Sharma
InfoSec Write-ups
Published in
3 min readAug 26, 2023

--

Discover the intriguing tale of how I stumbled upon an IDOR (Insecure Direct Object Reference) vulnerability in Examfit’s (Virtual Name of private program)Expense Validation system, and how this flaw had the potential to lead to unauthorized expense approvals, potentially costing companies a fortune.

An IDOR vulnerability caught my eye in Examfit’s(Not Using the orignal name of private program) Expense Validation scheme. But what’s IDOR, you ask? It’s like opening a door to a room you’re not supposed to enter — except it’s a digital room filled with sensitive data. In this case, it was the power to approve or reject expense requests on behalf of a victim company. Yes, you read that right!

Unleashing the Power of IDOR

Imagine this scenario: A company uses Examfit for expense management, and an employee submits an expense request. Now, imagine having the power to approve or reject those expenses on behalf of the company. With two accounts — one belonging to the victim’s company employee account and the other to the attacker’s company — the stage is set for some sneaky maneuvers.

  1. Create an Expense Request: Put on your employee hat and create an expense request as you normally would.
  2. Sneak a Peek: As the expense request is processing, keep an eye on the company ID for the victim’s company. Remember, we’re just looking, not touching.
  3. Capture the Request: Now, switch over to another account. This account should belong to a different company. Use this account to capture the /hr/expenses/validation request — it’s like taking a snapshot of what’s happening.
  4. The Switcheroo: Here’s where the magic happens. In the captured request, find the expense ID. It’s like swapping a puzzle piece. Change the expense ID to the one you want to give the green light to.
  5. Let the Request Fly: Send the edited request on its way, like a secret message. You’ve just put your hacker hat to work.
  6. Check the Result: Open up the expense requests and see the magic unfold. The expense that you’ve slyly given the thumbs up to gets approved.

Why This Matters

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published just now

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Abhi Sharma
Abhi Sharma
Follow

Written by Abhi Sharma

1.7K Followers
1 Following

Cybersecurity Consultant | Pentester | Bug Bounty Hunter | ContentWriter 🔗 Connect with me on https://twitter.com/a13h1_ and https://www.linkedin.com/in/a13h1/

Follow

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech