Hi All,
One more day of hack!
While researching for vulnerabilities, I have found a very critical vulnerability of Insecure Direct Object Reference(IDOR) in one of the Hotel Booking websites by which I was able to hijack any user account.
What is IDOR?
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying value of a parameter used to directly point to an object. This is caused by the fact that the application takes input from the user and without performing any authorization check allow the user the access to the object.
This is occupying the fourth spot in Open Web Application Security Project(OWASP) Top 10 list of the most critical web application security risks since 2007.
I found this vulnerability in one Hotel Booking company of India. I was able to completely compromise any user account provided the mail id of the user.
Below are the steps-
1. I created my account , and went to my profile section where I found different functionalities like "Wallet Money" , "My bookings" just like every travel booking websites have.
2. Captured the request by clicking on "Wallet Money" functionality and found that there was a parameter containing mail id i.e emailId.
The response to the request is the credit balance that the user has in his wallet.
3- Seeing this, I changed the mail id to some other mail id (obviously to one who has account in this website) and found that I was able to check wallet money of the user associated to that mail id.
I changed the mail id to victim mail address and I got the below response-
4- And similarly "My booking" functionality was vulnerable to IDOR where I could see the bookings made by the user by modifying the mail id . Then I went further, and tried to hijack user account using "New Password" functionality .
From the above two scenario, I found that there was no mapping of user mail id with any authentication token and there was no authorized check where the user has access to particular object or not.
5- I checked the "My Profile" section where I could change the current password ,captured the raw request.
6- Now as you can seen in the request, there are some parameter like FirstName,LastName, Email, Password, NewEmail.
Now I changed the "Email" parameter to victim mail id i,e moneyjain030193@gmail.com and kept the password of my choice i.e. 123456 and as I was expecting, I got 200 ok.
and with no surprise I was able to log in successfully with the Victim id and with the password that I have chosen for him.
That's all about this IDOR vulnerability ,simple yet critical.
Suggestions and feedback are welcome :)
