Hello peps , Peace be upon on you.First of all that’s my 1st writeup so there maybe some lacking please avoid this silly mistakes.
So let’s dive to the journey of finding IDOR 😉. Normally that’s quarantine day I can’t go out to buy fish food for my lovely fishes.
That’s why I finding fish food on a well known e-commerce site of my country and ordered one packet of fish food.That’s appication was a function that after proceed an order it’s redirect to “Your Orders” page then suddenly I noticed the address bar and see the link it was
https://site.com/checkout/payment?orderId=xxxxxxx
Ah!!you see the param? 😁 I think you are thinking about the right thing what was I think.I fire up my Burp 🖤 and sent the intercept request to the Repeater.Then I change the value of param
https://site.com/checkout/payment?orderId=1111111
to
https://site.com/checkout/payment?orderId=1111112
But alas! It was showing 401 Unauthorized 😑.
So what! Should I give up or hunt deep? My evil mind was suggest me to hunt deep and I listen his words😉After digging more I came up to a process that “cancel orders” option. By using this option an authenticated user can cancel his / her orders.
Then I cancel my orders and intercept the request and the URL was
I sent it to repeater tab and change the order id’s last value and I was shocked that the request’s response was come with 200 status code that’s mean I successfully canceled some user’s order without his / her account’s access
But I need to more confirm about this issue.So , I changed the last digit with another random integer but that time it shows 404 not found ! 🙄
Then I confirmed that If there is any order after canceling it shows 200 else 404 and through 200 response I was permitted to cancel any user’s order without any authenication.
I made a POC and reported this issue to authority.They fixed it and awarded me with 10,000 BDT.
Reported — Fri, May 8
Awarded -Thu, May 14
After all Thanks to my Allah for everything.Thanks to my PC , my parents , my friends and Specially someone 🖤 for their inspiration, helps and love.
Thanks for reading hope for a claps ;) pardon me for my mistakes.
Have a nice day. Be safe ❤
