IDOR – Execute JavaScript into anyone account

Hey guys,

New blog post about critical IDOR issue which I found in terapeak.com which allows attackers to change any user information and delete any saved bulk search remotely through one’s own account by just changing the Token id in Put and DELETE Request.

The request for change and save search info looks like:

It was observed that by simply changing the value of <token=> in the above URL, it is possible to change user info and delete search and save for the user associated with that particular Token.

Original Request:

Edited Request:

XSS

So I found stored XSS in saved search:

An attacker can plot IDOR attack to change user saved search with a XSS payload and when user will access his account XSS will pop-up.

Thanks for reading!  Happy Hunting 🙂

 

 

shubhamgupta

 

Leave a Reply

Your email address will not be published. Required fields are marked *