An IDOR story [ Turning P5 into P2 ]

What is IDOR?

IDOR refers to Insecure Direct Object Reference which means you get access to something which is not allowed to you, or you don’t have that privilege to do that action on that web application.

Let's consider the target as example.com since it was a private program.

So I was not able to find any medium/critical bugs apart from low-level bugs like reset link not expiring after use, token not expire after email change.

As I was playing with reset password function so, I thought to analyze this again. And there I saw a secret token is present in the request which is not present in reset URL.

Then I created second account, get reset password link and copied the secret token from the request and replaced the same in the request of the first account. And yes the password of first account is changed. it seems like that token was indicating user id or email id

But wait the main story isn't started yet

As soon as i reported that, it got triaged as P2 within 2 two hours and they confirmed the IDOR

This sounds very easy right ? but it's not.

the next comment they added was....

How will you get the victim's secret token ? The reset URL would have to  be obtained by the attacker some how. And that isn't possible right know. Therefore closing this as NA.

I was like Hold on! I've something for this.

Then in next comment i mentioned those two P5 bugs i mentioned above.

Bug-1) Reset Link isn't expiring after email change
Bug-2) Reset Link isn't expiring after use

These two bugs can leak victim's secret token

After two days report was reopened

Changed from P2 to P3 [ Because this needs two P5 bugs to be successful ]

Accepted as a valid issue. $$$ Boutny

You may think why would attacker steal the secret token when he is having full link?

But that is a P4 bug and my target was to show them an IDOR and i did. Because it pays more 😂.

Be Clever 😎

Thank You for reading!