How I found my first bug (IDOR)

Hello guys!! Hope you all are doing good.. This is my first ever writeup/article/blog whatever you like to call it. So let’s get startedddd…

Before starting my hunting process, I like to maintain a .txt file where I jot down what’s in scope and what’s not in scope. Also I have a checklist where I have listed all the bugs that I would look for based on the target. It is considered as a good practice and you can make one here Notion.so.

So I was testing on a website lets say redacted.com. This was a job finding website wherein you can create an account, add your details (name, address, contact, DOB ), upload your resume and apply to various companies.

So I fired up my Burpsuite and started browsing through the website as a normal user getting familiar to the functionalities offered. Once I completed my browsing I had a look at the HTTP history as to see what params and endpoints have been collected.

One endpoint instantly caught my attention and thought this need some testing. The endpoint was /api/v2/candidates/me

This endpoint basically fetched the user details. The first thing that strikes my mind after looking at this was to test for IDOR hands down!! So I started adding numbers by replacing “me”. Also replaced “me” with admin, Admin, accounts, basic names, tried changing version to v1 but no luck..

I then remembered that SecLists one of best curated wordlists contain some common api_endpoints.txt file. So I thought why not try some fuzzing. So I started Burp Intruder, loaded the api_endpoints.txt file and started the fuzzing. AND to my surprise I found a 200Ok on /api/v2/users. I checked the response and it leaked PII of more than 7k users on the website!!! I was like..

Reported and awarded €€

Takeaways: Fuzzing is your best friend :)

Also feel free to get in touch with me, would be happy to share and learn. I will be back with a new writeup soon. Until then ciao..!!

https://twitter.com/C1pher15

Security researcher | Bug hunter | Pentester