($$$) Broken Authentication and IDOR at [REDACTED]

Hello InfoSec community hope you guys are good, I want to share my finding in bug bounty about Broken Authentication and Insecure Direct Object Reference (IDOR) at [REDACTED], here we go 🔥

Proof of Concept

First is understanding the program, *.redacted.com is in scope so we can try to find all of the subdomain of the website. We can use tools to enumerate subdomain like Sudomy, Subfinder, Sublist3r, etc.

GitHub - screetsec/Sudomy: Sudomy is a subdomain enumeration tool to collect subdomains and…

GitHub - projectdiscovery/subfinder: Subfinder is a subdomain discovery tool that discovers valid…

GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers

After get the subdomin, I try to open and see one by one of them, then get one of the interesting subdomain that show the login page, I guess the login page was for the admin panel. So I go deeper and try to find something interesting in that subdomain.

GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of…

Try to fuzzing with common security wordlist https://admin.redacted.com/FUZZ, we can use fuzzing tools like gobuster, wfuzz, ffuf, etc. Found some wordlist is response with 200 and different length, then I try to open the url, but the page just showing same login page.

Wordlist login

Wordlist newsroom

GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in Go

GitHub - xmendez/wfuzz: Web application fuzzer

GitHub - ffuf/ffuf: Fast web fuzzer written in Go

So I try to check the source code with inspect element, surprisingly it’s totally different. There is redirect code in the client side

<script>window.location=”/login”;</script>

There is some option to check the page

• Disable the javascript in browser
• or Save and edit the source code locally

Source code

Comment the redirect code, then open the source code locally. Then voila the admin panel is shown. But ofc the data is can’t load, because the CSP (Content Security Policy).

Admin panel

After that go deeper to the javascript source code. There is some javascript file included, and found some endpoint that interesting to test. After test some endpoint there is one endpoint vulnerable with IDOR.

https://admin.redacted.com/User/deleteImage

Javascript source code

Then try to fire the post request in the postman with form data id with value 1, voila the response said

{“success”:true}

The avatar of the admin user is success deleted with that post request. Finally I immediately make the PoC then report to the Bug Bounty program.

Bounty

Alhamdulillah give thanks to Allah SWT, my tips is go to deeper and try to manual analysis into the source code, look into all javascript files and test all endpoint. Thank you has been read my article ✌️

“Stay Hungry Stay Foolish” — Steve Jobs

Timeline

1. 1 October 2021: Initial Report
2. 4 October 2021: Report Validate by H1 Team
3. 11 November 2021: Bug Fixed and Resolved
4. 7 December 2021: $$$