This is an interesting IDOR vulnerability of account takeover and am sure many will like the trick which is mentioned in this write-up. The company has product software and SAAS, Both were affected with this vulnerability. You will wonder that all top company’s in the world uses this service .Though award was 20 Euro coupon but I thinks trick of finding this IDOR was great. Let’s named the site as www.sample.com. Sample.com has 4 privileges in which highest is Administrator and lower is user.
Sample.com provides SAAS as well as product platform for using its services by allowing user to create subdomain. So vibhuti123.sample.com is organisation domain .Now Lets say vibhuti123.sample.com has 2 account admin with administrator privileges and hacker with user privileges.
Below POC will explain you in details about account takeover using IDOR.
Imapct: Complete account takeover
1)I have two accounts whose username and password are mentioned below
2)I have taken intentionally same password as abcdef for both account which later I will change. Now admin is administrator for this site https://vibhuti123.sample.com
I have set the password complexity in medium level so I can use abcdef as my password without any complexity. I will go one by one by increasing the Level of password.Before Going forward I want to tell that it is not possible to execute bruteforce attack in Login page as after unsuccessful 5 attempts it will start for CAPTCHA verification.
3)Now login inside https://vibhuti123.sample.com with hacker username and go to below url
4) The above URL is profile page of User Hacker profile. Now in profile page there is tab to change present password .So click change password Link as attached in Diagram 1.
5)After clicking above link You will go to below page with below link and see the diagram 2
6) Now Put random password as current-password and random password for new-password. Make the BURP Proxy On and intercept the request in Burp proxy intercepted. see the diagram 3
7)As in the above diagram we can see that username hacker is mentioned. Now change the username to admin whose password to change .new-password will be vibhuti and current password will be abcdef .Remember it that admin and hacker have both same Current password abcdef. The problem is here that current user session is hacker but still if we change username to admin and give current password of admin which is same for both, password gets change for admin through user hacker session. If we donot know admin’s current-password then we can easily bruteforce it and change admin password. Now I have bruteforce the current password with 10000 times but no rate limitation implemented and successfully changed the password of admin.Now time taken for changing admin password will be
Level of severity TIME TAKEN
FOR common dictionary password .29miliseconds
For 6 digit password with three complexity like Sk!ps1 6minutes
For 7 digit password with three complexity Sk!ps1h 5Hours
For 8 digit password will three complexity like Sk!pf1sh 10 days
For 9 digit password with three complexity 6years
For 10 digit password with three complexity 160years
Here three Complexity means one digit Capital letter ,onedigit any number and one digit any symbol.
8)Only it seems to be impossible if admin will create nine digit or more with three complex password. Others are practically possible.
9) For proving it I did two testing
First) I changed the username in intercepted Request from Hacker to admin, current password as abcdef and new password as vibhuti .As the current session is of user Hacker then also admin password got changed. This means clearly that Current session is not validated with username provided in the Request.
2nd) Then I changed admin user password to admin .I did bruteforce last 4 digit and with 37412 request I am able to change the password of user admin. see the 200OK message came at around 37412 request in the diagram 4