Here is how I chained two bugs to exploit a UUID based IDOR and gained access to admin panel.
🧵THREAD🧵
1. How I knew that the target uses the same panel for both (normal users and admins)?! This is because of two things, the first one is through subdomain enumeration
🧵THREAD🧵
1. How I knew that the target uses the same panel for both (normal users and admins)?! This is because of two things, the first one is through subdomain enumeration
The second one is from the JS files.
After enumerating the subdomains, no admin panel was found for the main app.
But when reading the main JS file of the target, there was some keywords like is_admin or administration or anything related to the super users privileges.
After enumerating the subdomains, no admin panel was found for the main app.
But when reading the main JS file of the target, there was some keywords like is_admin or administration or anything related to the super users privileges.
Then I started digging to find what should I have to access the admin panel.
1. After extracting all endpoints from the JS file and added my Authorization header to ffuf I discovered that one endpoint is leaking some other users IDs (uuid) and by just changing the request id, I was able to extract a lot of other information about other users
2. There was another endpoint which is responsible to update the user's data (/api/v1/session)
This endpoint requires the user Id in order to changer its own data
This endpoint requires the user Id in order to changer its own data
3. After extracting other users IDs, it will be easy now to takeover any account
Note : when finding an IDOR that requires an uuid, don't waste your time reporting it because the uuid will be near impossible to bruteforce
Note : when finding an IDOR that requires an uuid, don't waste your time reporting it because the uuid will be near impossible to bruteforce
4. To takeover the account, there are many scenarios, one of them is to change the email of the victim to your own email and then request a password reset, but the magic here is that there was a hidden parameter that i discovered by chance, which is password
5. I sent the following request and added the password parameter with the new password and the victim's id
And boom! Password changed successfully.
And I was able to takeover any account for any user or admin in the app.
And boom! Password changed successfully.
And I was able to takeover any account for any user or admin in the app.
Tip: Always try to understand what was the ideas of the developer when he was developing the app, is there any admin panel that can be accessed with only a normal user token?
Is there any admin related keyword in the main JS files of the app.
Always ask yourself how the app works
Is there any admin related keyword in the main JS files of the app.
Always ask yourself how the app works
• • •
Missing some Tweet in this thread? You can try to
force a refresh
