Yeah I know how it feels to see this kind of title and bounty. It looks UNREAL. But it is. I read lots of IDOR vulnerability reports, blogs etc. and actually none of them were highly technical or complicated. Just 123 > 1234 200 OK and 1K . But When I found these kind of vulns I realized that its not about changing numbers, it was more about spending endless hours on the same program and looking at every corner and understanding every endpoint/function. But this time I was a little bit lucky :). Because this was a public program and I found this IDOR in a 3 hour run. But there is a reason. There was a new function that allowed customers to review sellers.
Here are the steps.
1- Go to my purchases and choose one of them to submit review to seller.
2- Intercept POST request and there is two important part to worth analyzing. "customerId" and "orderId".
3- Change "customerId" and send again. Server response says " customerId and orderId should match". So we need true pair of customerId-orderId . It is not easy to guess true customerId- orderId pair to validate this bug.
4- So I created another account and I sent original(true customerId-orderId pair) request with new accounts cookie and server return: 200 OK :) (The application checks that "customerId" matches "orderId" but fails to verify that the authenticated user actually owns that order)
Impact:
1- This vulnerability allows Attacker to bypass "verified buyer" and submit seller reviews tied to real customer's purchases.
2- Fake reviews on seller account allows Attacker to damage seller's reputation and affect their sales by bad reviews or Attacker can hype seller account and could raise sales and mislead customers.
Important Note: Actually I could have written a stronger report because there were other vulnerabilities to chain and raise severity but I wasn't familiar with this program and I was very happy to see this actually worked and I found an IDOR on a public program :). They resolved and rewarded me in a two days which was very quick compared to my previous experiences.
After that I spent hundreds of hours on the same program and found several vulnerabilities from low to crit but it turned out that the program wasn't like I was expected. Stay tuned to hear the full story.
Thanks for reading. If you want to read more write-ups like this follow me and share your thoughts on the comments section.
Sayanora!