👋 Hello, I am Manan Sanghvi, and this is my first write up on how, at under age ( <18 ), I got my first 4 figure $$$$ bounty from a Multi-Billion-Dollar Organization through Hacking them Ethically.
I am not disclosing the program name on this write up. And I’ll try to hide all the sensitive details. because it heavily contains sensitive data.
Vulnerability Name
Insecure Direct Object Reference (IDOR)
Impact of my this Attack
Exposure of sensitive data, including addresses, order details, phone numbers, apartment details, payment QR codes, etc… ( Personal Identifiable Information - PII Data Leakage )
Overview of IDOR (For whom who are beginner in Hacking)
Insecure Direct Object Reference (IDOR) is a critical security vulnerability where an application’s access controls are improperly implemented. It occurs when an application exposes direct references to internal implementation objects such as files, directories, or database keys. Attackers exploit this vulnerability by manipulating parameters to gain unauthorized access to data or resources.
Overview of a domain on which was I Testing
Subdomain on which I was testing is designed for general shopping, I discovered that all the typical functionalities were accessible, including login, product selection, cart management, ordering, online payments, and cash on delivery (CoD) options.
Which Functionality was Vulnerable to IDOR?
After exploring the site manually, I observed a unique functionality compared to other shopping platforms. Typically, upon ordering a product, immediate payment confirmation is required. However, here, after a successful purchase, a timer of 3–4 days is provided for final payment confirmation before the order is dispatched to your home. If payment isn’t completed within this time, the order is automatically canceled.
So, I have decided to test this functionality. I was choose 1 product and make a order but I don’t have done a payment.
So, after doing order it gives me 3 options,
- Order Documents - View details like product information, address, quantity, amount, and payment options (by Downloading in PDF format).
- Help With Ordering - To get help about the product ( support ).
- Cancel The Order - To cancel the Order.
So, here I thought about testing for IDOR. My Burp Suite was always connected with browser while surfing the site.
I turn on the intercept while clicking on “Order Document”.
Luckily, I saw that, Server uses “orderId” parameter to identify and handle each and every order. ( The biggest advantage was it is generating a numbered id like, 123456, 654321, 789456, etc.. so Attacker can easily Brute force this).
I sent this request to Repeater Tab. I have Immediately just change the last digit of the “orderId” Parameter.
And It gave me 2 URLs in Response in Repeater Tab.
Both URLs contains sensitive data.
1st URL contains data about Product Suppliers and 2nd URL contains data about payment invoice, like First name, Last, name, physical address, date of order, amount, product name, apartment details, etc… ( In PDF format ).
Me be like😄😋,
However, after reporting, I received an initial response that they are investigating this matter. Unfortunately, there was no further communication for 3 months. I began losing hope and eventually forgot about the report entirely. 😞😔
But after 3 months they give me expected reply. 😊
We confirm the vulnerability, your ticket has been Triaged.
We have successfully reproduced the vulnerability you described. We will come back later with a decision on the amount of the reward!!
and after few days, I got this reply. 💰💵💲
“We are happy to inform you that your security report has won a reward of $2,600.”
If you enjoyed this write-up, show some love! Like, share, drop a comment, and follow for more content!!
Also follow me on :
Linkedin - https://www.linkedin.com/in/manan-sanghvi-799863176
Twitter - https://twitter.com/An____Anonymous
Thank You! 👍😊
