Hi all, this write-up is about a vulnerability founded by collaborating with my friend Hasanka AKA WrathfulDiety.
If you haven’t checked other writes on the IDOR Diaries series you check below write-ups
We was testing a Shopping website where we came across a wired wishlist. We were able to view private and public wishlists fo any user in the website. So the wishlist URL looked like below sample URL
https://www.xyz.com/find/wishlist.jsp#/1122A36R456/supun-default-wish-listFirst we tried removing the /supun-default-wish-list which gave us a 404 error . The URl looked like below
https://www.xyz.com/find/wishlist.jsp#/1122A36R456Then we added “/” to the url which looked like
https://www.xyz.com/find/wishlist.jsp#/1122A36R456/It provided the results of the private wishlist of another user.
Now that we can bypass the Wishlist by adding “/” to the end of the URL. We thought to dig deeper to find an IDOR to enumerate all Wishlists.
As we saw that it has a unique ID like /1122A36R456/ we tried to find a flaw in this ID and after investigation we founded that it has a pattern. but its a weird pattern.
Here’s the ID pattern breakdown.
The ID is 1122A36R456