Here is the article how I was able to bypass authentication token and able to exploit IDOR and add any user to add events of the website ..before coming on the main topic that how I find the vulnerability let me clear your core concepts about authorization tokens

Authorization tokens : They are used to authenticate user suppose a USER A visited a website and create their accounts authorization token verifies the user each time when USER A logon in website web page gives him auth token and when he logout then token get destroyed and each time when USER A login to that website he gots a new token that’s the work of auth tokens..it prevents from vulnerabilities like IDOR,CSRF and cors

so that’s the basic concept about authorization tokens.. now I  tell my story of getting IDOR I was really excited when I got a invitation program I decided to look at that program I saw there the site was implementing auth tokens for identifying users it creates a new token when user logged in each time and destroy the token when user logout from website after playing with request and response I saw there when the request was send with ‘PATCH’ method without auth token shows 401(unauthorized) response while the request with any other method without auth token it shows response 200 (ok). It means token not implemented properly 🙂 I tried to change the patch method to get but still found 401 the other request other than the ‘patch’ method are seems to be useless bcoz there was no crucial data which I report to the website so I decided to check every page which consists of GET or POST methods I fuzz every page there I saw there was an option to register on event anyone can register in the event by uploading his/her resume and his name… I quickly created another account on the website and register my 2nd account on the event and logout from my device and then I open burp and change the email id, name, and id no. to mine first account and remove the auth token and bingo! I got registered on that event from my account with the resume and information of other candidates due to IDOR

WriteUp By: @Mohit

LEAVE A REPLY

Please enter your comment!
Please enter your name here