My First Bounty (idor)
بسم الله الرحمن الرحيم
First of all, this is my first article. I benefited a lot from this platform, and I want to thank everyone who contributed to publishing articles that benefited everyone. So I would love to also participate in informing others about what I teach him.
This is a long road, my friend. Everyone has passed here and have crossed difficulties at the beginning of learning, so do not despair and keep learning.
What is Idor attack ?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
While I was wandering around one of the sites looking for vulnerabilities, I found a list that invited a friend, put in my email
I intercepted the request using burp suite and it was surprising. request has id value .I thought a little if this id is mine and I invite the owner of this email to become an admin on my account.
What will happen if you change the id value . If what I am thinking of succeeds, I will put my personal email and change the id in order to get an invitation letter from the members and thus I will have access to their accounts.
I sent the request to intruder and set the id value so we can start the fun
You can upload numbers from 00 to 99 in payloads or you can choose Numbers in payload types and make numbers from 00 to 99 as you like.
Now let's start the attack and see what happens, friend
Now, let's go to the email to see what happens there.
All I was thinking about happened, 7 of the members sent an invitation to become addicted to their accounts, after that I reported this vulnerability and after two days the company responded to me and sent a small bonus and they repaired the vulnerability
I was happy with this gift and this was my reaction. Don’t forget to follow me, I have more stories waiting for you, friend, to tell you