Original Post: Hunting for Corporate Accounts: Exploiting IDOR and Parameter Pollution in Web Applications | by Tusharpuri | Sep, 2024
The content describes the process of exploiting an Insecure Direct Object Reference (IDOR) vulnerability in a web application’s “My Profile” section. Initially, the tester tried changing the “id” parameter in the URL to access other user profiles but faced repeated errors. They then used a more unconventional approach by inputting the “id” parameter twice (e.g., id=200&id=201), which led to displaying another user’s profile information while maintaining their session.
After successfully exploiting this vulnerability, the tester focused on automating the process using parameter pollution, which allowed them to enumerate and identify active user profiles. An automation script using “curl” and “grep” was employed to generate a list of 600 active user names.
Next, the tester aimed to identify corporate email addresses linked to the accounts. By applying common corporate email formatting rules (e.g., firstname.lastname@company.com, firstinitial.lastname@company.com), they generated potential email addresses for each user, which could then be used for further attacks like credential stuffing or phishing.
The post emphasizes the critical security oversight in the application’s lack of access control validation, highlighting the potential risk for severe breaches.
Go here to read the Original Post