Friday, August 09, 2019

Read other user support tickets in (Write Up)


In this article I will show you how I found a Insecure Direct Object Reference Vulnerability that I found in a private program on Bugcrowd few years ago. The vulnerability allow me to access any support tickets without any restriction by just enumerating/changing the ticket IDs. The vulnerability feature was the ticket printing on the support dashboard.

This issue was reported to a private program on bugcrowd few years ago and closed as Won't fix.

So below is the report timeline and proof of concept of the issue.

--Proof of Concept--

1. Go to https://support.<REDACTED>.com
2. Create a ticket
3. Print your ticket and you will get the ff. url.
Vulnerable URL: https://support.<REDACTED>.com/client/ticket/print/<ticket id>

The ticket ID is composed of five numbers so using BurpSuite intruder, I was able to enumerate to check every single ticket which allowed me to read other users Email Address, Username, Message and etc...

Result: Insecure Direct Object Reference Vulnerability.

--Report Timeline--

Report Title: Read any support ticket on with restriction
Reported: 20, June 2017
Closed: 21, July 2017
Reward: $120

thank you for the submission. We are awarding the bounty. However, this was scheduled to go offline before your submission, so we are likely not going to fix this one.
Happy hunting!

So I hope you enjoy this write up, have a great day everyone!

“It is better to be hated for what you are than to be loved for what you are not.”
― Andre Gide, Autumn Leaves

No comments:

Post a Comment