My First Bounty (idor)

There is no despair with life, no life with despair

بسم الله الرحمن الرحيم

First of all, this is my first article. I benefited a lot from this platform, and I want to thank everyone who contributed to publishing articles that benefited everyone. So I would love to also participate in informing others about what I teach him.
This is a long road, my friend. Everyone has passed here and have crossed difficulties at the beginning of learning, so do not despair and keep learning.

What is Idor attack ?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

While I was wandering around one of the sites looking for vulnerabilities, I found a list that invited a friend, put in my email

I intercepted the request using burp suite and it was surprising. request has id value .I thought a little if this id is mine and I invite the owner of this email to become an admin on my account.
What will happen if you change the id value . If what I am thinking of succeeds, I will put my personal email and change the id in order to get an invitation letter from the members and thus I will have access to their accounts.

After intercepting request

I sent the request to intruder and set the id value so we can start the fun

The beginning of the fun

You can upload numbers from 00 to 99 in payloads or you can choose Numbers in payload types and make numbers from 00 to 99 as you like.

Payloads Sets

Now let's start the attack and see what happens, friend

A bug looms on the horizon

Now, let's go to the email to see what happens there.

All I was thinking about happened, 7 of the members sent an invitation to become addicted to their accounts, after that I reported this vulnerability and after two days the company responded to me and sent a small bonus and they repaired the vulnerability

I was happy with this gift and this was my reaction. Don’t forget to follow me, I have more stories waiting for you, friend, to tell you