API based IDOR to leaking Private IP address of 6000 businesses

Hello fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I love to break security. Anyway, without further ado let’s get to today’s topic.

Before I start, I wanna thank Katie Paxton for her videos. I learned a lot about IDORs from her videos. I actually earned my whole year’s bounty target just form IDORs that I learned from her videos.

What is IDOR?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

What is an API?

API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. Each time you use an app like Facebook, send an instant message, or check the weather on your phone, you’re using an API.

So, I was testing a NDA (Non-disclosure Agreement) program and I noticed that the Web Application had an option to view the access logs of the users. Seems so simple right?

I have a bad habit of turning on Interception and see every request that the browser sends to the server while browsing an web application. When I visited the same page again, I noticed that my access-logs were not being displayed even though other contents of the page already has load already. Then I noticed that the my Interception was on and there was an API request intercepted which was trying to fetch the access-logs of the users.

If you take a closer at the POST data, you will see that it has a UserID in it.

Then I sent the request to Intruder and Brute-forced the UserID and I got the access-logs of 6000 businesses.

I quickly reported the bug and the company fixed the bug within 48hours. I got a nice $4digit bounty for the bug.

Hope you guys enjoyed this one . PM me at Facebook, LinkedIn or Twitter anytime if you have any questions.

#Hack’em all

Pentester/Bug Bounty Hunter & A typical Business Undergraduate. (https://www.facebook.com/rafiahamed.rupak.3)