Insecure Direct Object Reference (IDOR)- PII Data Leak
Thanks, hackers community, You all inspire me a lot.
Insecure Direct Object Reference (called IDOR from here) occurs when a application exposes a reference to an internal implementation object. Using this way, it reveals the real identifier and format/pattern used of the element in the storage backend side. The most common example of it (although is not limited to this one) is a record identifier in a storage system (database, filesystem and so on).
Vulnerability Scenario:
In this application it is used to make bookings, It was observed it has Premium features just out of curiosity I purchased the Premium feature and Made a booking.
Once you make a booking it was observed You will receive a link to your Inbox. Once you click on the link below.
“https://localhost.com/loadappoinments?id=123456”
It will load your booking details, Firstly I tried changing the value to another booking value (for e.g. 123455), observed CSRF protection was in place and it is tied with the user session so to bypass I removed the CSRF value and sent the request.
I even observed there’s no rate limitation in place which has made it very easy to brute-force and got other user details easily.
POC:
Remediation:
Implementing a proper authorization check for object values.