IDOR Vulenebility with empty response still exposing sensitive details of customers!

rahulvarale.medium.com · kh4sh3i/bug-bounty-writeups · 17 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

An IDOR vulnerability in an e-commerce application's address management API allowed exposure of other users' sensitive information (names, addresses, phone numbers) through a POST request to set default address endpoint that returned 200 with empty body but still processed sequential address IDs. The vulnerability was discovered when the payment page displayed a different user's address data.

Tags
idor access-control e-commerce information-disclosure api-vulnerability session-validation-bypass http-method-testing
Entities
Rahul Varale
IDOR Vulenebility with empty response still exposing sensitive details of customers! | by Rahul Varale - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original IDOR Vulenebility with empty response still exposing sensitive details of customers! Hello there👋! For many days I was thinking of sharing my bug bounty experience with the community and finally writing my first write-up. Rahul Varale Follow ~1 min read · March 13, 2021 (Updated: January 7, 2022) · Free: Yes After basic recon, I started testing functionalities on the main domain. It was an e-commerce website, say https://redacted.com . As it was an e-commerce site, there is a shipping address. While updating the address, I noticed that the address_id parameter is the unique ID for each address. I tried IDOR ( who dont know what is IDOR, check https://portswigger.net/web-security/access-control/idor ), but it validated the session and only gave the respective user's address. I tried changing the method GET, POST, PUT, but nothing worked. Then, I clicked on set as default address button, POST request sent on https://redacted.com/c/def_addr with the address_id and got 200 Response with an empty body. I repeated the same POST request with sequential address_id and got 200 response for that and an empty response body. After playing with address APIs, There was no success. 😞 I moved to cart and checkout functionality. After clicking on the checkout page, I was redirected to https://redacted.com/payment , and surprise!! I noticed that there was a different address of some other user! It contains the Customer Name, Full Address, Mobile Number. So, all user's addresses and mobile numbers were exposed! Thank you for reading. As this is my first write-up, suggestions are most welcome. Connect with me on https://www.linkedin.com/in/rahulvarale/ #bug-bounty #cybersecurity #infosec #info-sec-writeups #idor-vulnerability Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories