Well it is Saturday again and this is a late post about one of the forum endpoint i reported and this company is one of the top in the world.
This endpoint is vulnerable to IDOR where I can change all users profile mapping or paths being use in forum. The endpoint is missing out access control and authentication requirement prior making a request. There is even no rate limiting in place, so enumerating the ID and brute forcing is possible.
The vulnerable endpoint was /redacted/registration/redacted from https://redacted.redacted.com. Endpoint is being use during the registration process to create a forum username. However, it can also be use to change a profile path if the found ID through enumeration already has an associated one.
For the sake of PoC, I wrote 2 python scripts one is to prove that this can be automated and I send them a video capture as well.
And the other script is just to show that this can be enumerated and brute force as it was lacking of rate limiting.
In the second script i just added the generation of numerical digits and set it in the variable to check if the ID is existing. If it is then the profile path will be change to whatever i want it to be and put that on a loop until interrupted.
I have comment out other part of the script, did not complete it and did not integrate it yet. Because it is too risky as i can REALLY CHANGE all forum profile path with matching ID. The ID is just a combination of 9 million possible values if fully utilize. I just wanted to show them that this is doable.
Running the python script to enumerate and bruteforce..
Here is also an endpoint that i use to check and confirm if the path was successfully changed.
Through this vulnerable endpoint, paths can be manipulated as reaching this endpoint already bypassed validation and sanitation process. The parameter even accepting all types of characters (for this, i am still doing extensive investigation on how i can escalate to a maximum impact.)
I reported this to them in August 3 and they have addressed the issue after 34 hours. And as usual, they put my name in their Hall of Thanks and rewarded me USD 2,500 bounty.
That's all for now.
