IDOR and Rate Limit Vulnerability that leads to Privilege Escalation and Denial of Service

Well it is Saturday again and this is a late post about one of the forum endpoint i reported and this company is one of the top in the world. 

This endpoint is vulnerable to IDOR where I can change all users profile mapping or paths being use in forum. The endpoint is missing out access control and authentication requirement prior making a request. There is even no rate limiting in place, so enumerating the ID and brute forcing is possible. 

 The vulnerable endpoint was /redacted/registration/redacted from https://redacted.redacted.com.  Endpoint is being use during the registration process to create a forum username. However, it can also be use to change a profile path if the found ID through enumeration already has an associated one. 

 

 

For the sake of PoC, I wrote 2 python scripts one is to prove that this can be automated and I send them a video capture as well.

 

 

 

 Running the python script...

 

  

And the other script is just to show that this can be enumerated and brute force as it was lacking of rate limiting.

 In the second script i just added the generation of numerical digits and set it in the variable to check if the ID is existing. If it is then the profile path will be change to whatever i want it to be and put that on a loop until interrupted.

I have comment out other part of the script, did not complete it and did not integrate it yet. Because it is too risky as i can REALLY CHANGE all forum profile path with matching ID. The ID is just a combination of 9 million possible values if fully utilize. I just wanted to show them that this is doable.

 

 

Running the python script to enumerate and bruteforce..

 

 

Here is also an endpoint that i use to check and confirm if the path was successfully changed.

Through this vulnerable endpoint, paths can be manipulated as reaching this endpoint already bypassed validation and sanitation process. The parameter even accepting all types of characters (for this, i am still doing extensive investigation on how i can escalate to a maximum impact.)

I reported this to them in August 3 and they have addressed the issue after 34 hours. And as usual, they put my name in their Hall of Thanks and rewarded me USD 2,500 bounty.

That's all for now.

 

CORS vulnerability on redacted.com :)

Well today is Saturday and bear with me as i am usually lazy on doing write ups. So i will do my best to share what i can. Redacting corporation name as i was not allowed to disclose this findings associating with them.

The CORS vulnerability that i found last weekend was in one of the host that I've been on for bug bounty program. This multinational corporation is one of the top in the world. 

CORS (Cross Origin Resource Sharing) vulnerability happens when a web application is allowing cross-domain request without proper validation or without properly defining allowed only domains and hosts to share resources with. If sensitive information or data is present, it can lead to stealing those information by writing a malicious code to exploit the vulnerability. 

 

As shown below, two important headers are present in the response and I can change the value of "Origin" header to my own url domain and to any that i want.

ACAO or Access-Control-Allow-Origin:

ACAC or Access-Control-Allow-Credentials: true

 

I have successfully changed the Origin value to my vps server ip address. And by using a PoC / Exploit as shown below, which is hosted on my vps server. I was able to retrieve the information, since this vulnerable host has been misconfigured to allow any hosts/domain to fetch it.

 

Shown as well the details from browser inspect element.

 

 

Just imagine sending a malicious link to authenticated victim on this host, can steal their sensitive information. I have reported this findings to them and they immediately fixed it. 

And about the bug bounty reward? That's a $ECRET :)

That's all for now!