How I found my first IDOR in HackerOne

In the name of Almighty, Allah, i begin. This write up is about how I found my first IDOR in HackerOne and got my first swag.

Recently I got BugBountyHunter subscription and so I tried to test what I learnt from there in h1 programs. Normally, I create two account while testing and passing everything through Burp suite. And try to create both of them with same username using Null byte at the end. But in this case nothing worked. So now I searched every request which had my user-id using the HTTP History tab and used Match and Replace from the option and changed my first account user-id with second account user-id to check if I got any 200 OK response back(easy way to find IDOR I suppose)

Burp Suite Match and Replace

But unfortunately this method didn’t work as well. Then I tried looking for upload vulnerabilities and there was an option where an user needed to upload payment receipt to verify he is legit customer. So I checked the url of the uploaded image and there was an id value which was in simple numerical value looking like this https://target.com/attachments/registrations/{numerical_value}/proof_of_purchases/view/original . So I immediately uploaded another picture from the 2nd account and tried to view the 2nd account’s url with the 1st one and BoOm! So now to show more impact I brute force the ‘numerical_value’ in intruder and all the 200 response contained customer signature, paypal address,home address etc. Then I tried to check if image metadata was handled properly as recently I read this report https://hackerone.com/reports/906907. So I downloaded picture from this repository https://github.com/ianare/exif-samples/tree/master/jpg/gps and uploaded it. Now downloaded my uploaded picture from the url and used exiftool to check the metadata was stripped but to my surprise it didn’t stripped anything as you can see GPS location is still present

So I chained the IDOR with exif-metadata and it got triaged as High Severity. And got my first swag. It was uncommon for me as normally I look for IDOR where only my user-id is used. But in this case IDOR was in image id. So, don’t forget to check every endpoint. Happy Hacking

Hey. It’s me. Orin. I am a medical student but doing Bug Bounty for fun