Insecure Direct Object Reference (IDOR)- PII Data Leak

Thanks, hackers community, You all inspire me a lot.

Insecure Direct Object Reference (called IDOR from here) occurs when a application exposes a reference to an internal implementation object. Using this way, it reveals the real identifier and format/pattern used of the element in the storage backend side. The most common example of it (although is not limited to this one) is a record identifier in a storage system (database, filesystem and so on).

Vulnerability Scenario:

In this application it is used to make bookings, It was observed it has Premium features just out of curiosity I purchased the Premium feature and Made a booking.

Once you make a booking it was observed You will receive a link to your Inbox. Once you click on the link below.

“https://localhost.com/loadappoinments?id=123456”

It will load your booking details, Firstly I tried changing the value to another booking value (for e.g. 123455), observed CSRF protection was in place and it is tied with the user session so to bypass I removed the CSRF value and sent the request.

I even observed there’s no rate limitation in place which has made it very easy to brute-force and got other user details easily.

POC:

Remediation:

Implementing a proper authorization check for object values.