Hi Guys,

This particular hack is from my initial days of bugbounty hunting and the main reason to pick this up from the vault is not to describe the technique used to find the vulnerability but -

To expose and highlight the poor security standards in the IT industry and bring to the attention , the major security loopholes which are left unattended even by big firms and spread awareness among companies to take information security as importantly as any other branch.

Let’s see what was the complete scenario-

Just like every online shopping website has the functionality of allowing the user to select the address where he wants to ship the product, Naaptol was also having the same thing-

Shipping Address HTTP request during payment

and the response of the above request contains the address including user complete details associated with that address id.

User Address Details

And here’s loading a classic case of Insecure Direct Object Reference (IDOR) , I changed the address id to some other number (which is found to be incremental) from 17917835 to 17917837 and without any surprise, I was able to see full details of other user associated with that ID, which includes sensitive details like victim’s full name, complete address, mobile number etc.

Accessing other user details

Accessing other user details

and then I run intruder , bruteforced the address id and was able to fetch complete details of a large number of users of Naaptol.

Naaptol User Details