Hello Everyone

Hope you are doing good & healthy.

This is My First Blog on Bug Bounty and I am really excited about it at the time of writing this.

Today I will share a IDOR bug which allowed me to find 1 Lakh users personal phone number , addresses & emails.

It’s a private program so I won’t be able to share name of the website but lets take it as target.com

So the vulnerability exists in the GET request endpoint, which is used to know the details of the user .

One day while trying to hunt some bug on target, first did some recon.

Done the basic recon Subfinder | httpx | aquatone. Then tried to find some low hanging fruits & automated bugs using nuclei, but no luck :/

Then started hunting on the main domain. Signed up as a user & tried to find some ATO’s(Account Takeover) through forgot password , but tough luck :/

Tried finding some XSS & CSRF but again no luck :/

Then started looking for the endpoints on burp & this is where the dopamine levels were going bonker as came through an endpoint /api/users/159734

This time I got a feel like something’s bad here.

The request & response of the endpoint looks like this

I then removed the number 139118 from the endpoint /api/users/139118 and changed it to /api/users/1 & BOOM! you got what you need

Then I tried changing the number with other digits & I was able to get all the personal details of their customers .

Tip here : Every time look for endpoints in burp & try to play with them.

Thanks for Reading this, hope you enjoyed my blog 😀 .

Many more to come soon!

Best of luck for all of your future infosec things.

If you have questions and anything about the post you want to ask me, please contact me via twitter. I’ll have my DM open

Twitter