IDOR to change the email notifications of user

April 30, 2018

IDOR

Hey guys. Welcome to this new post from ENCIPHERS. Recently we have been writing a lot about bypass of different access controls and in the recent pentest conducted by our team, we again got some medium priority vulnerabilities regarding horizontal access bypass we found IDOR in a email. And we will be discussing what was the vulnerability and how we proceeded to get that.

So what was the vulnerability?

As you can see in the title itself, the vulnerability was that any user can unsubscribe any other random user from the email notifications. Now on the first look, you will think that it’s not a very cool type of vulnerability but let’s say, there is going to be a sale of Redmi Note 6 Pro on Amazon from today. The item is already OUT OF STOCK, so Amazon says that you will get an email notification when the sale resumes again. We believe that you must be getting where we are going with this. So now, what if the user was unsubscribed from his/her email services and wasn’t getting email notifications for the above item when it was out? He/she won’t know when the item is again in stock. This will lead to the decline of the business of the company which is a great problem in itself. Now the site we pen-tested had the similar kind of vulnerability present.

How we proceeded to get the vulnerability?

The application was a European e-commerce website.

  • We simply logged in to our user account.
  • For every item present there, there was an option to get email notifications for any upcoming information on that item.
  • If we turned on this notification, each time a mail will be sent to us.The link in the mail looked something like this:http://www.xyz.com/ticker/management/771255762/admin
  • As you can see, there is an identifier and we have already discussed in our IDOR posts earlier, how to check when there are simple identifiers like this one, no alphabets or special characters included.
    So we created another account and tried to open this same link in that user account.

Result of doing this?

We could see the items to which the user has subscribed to. Not only this, the user’s email id was also in open there with an option to check and uncheck the different subscriptions.
Now, we simply unchecked the different subscriptions and then when we checked it from the first account, there were no subscriptions present in the Subscription tab.

So this was a simple horizontal access bypass in which if we could somehow guess the identifier or we could see the person’s mail and which can definitely help for a larger attack. Now the most dangerous thing in this case, can be using the Burp INTRUDER. In cases like this, the one thing which you need is to see that what part of the identifier is varying and put your payload in that style.
It can give you a whole list of valid user id’s which can then be used for phishing or different high-level attacks apart from the IDOR we have seen here.IDOR

Main Points to take out from here:

We have written many posts on this kind of issues and the motivation to write this is access control measures not taken like putting a filter at a place. It needs to be executed for each request and for each action. There were no identifiers present in the application itself. But the identifier was present in the mail which led to getting this medium priority vulnerability. So keep a look for any place be it URL or mail for any kind of id. For any kind of reference on IDOR, you can always read this post of ours. Hope you will get to know another technique if you get something similar to this while testing or bug hunting. Happy hacking..!!!!