Day 32/100 Hack and Improvement
Day 32 comes with a new month and goals from Sam (CoffeeJunkie), and Rajesh Ranjan. One of the goals is to submit 3 vulnerabilities a week, to start that’s the goals of the week, let’s see how it goes. Besides that some Information Disclosure and RXSS and IDORs on cookies.
Information Disclosure and RXSS
Rajesh Ranjan. I check this writeup today, and I learnt that, how a researcher was able to find a RXSS. Checkout the writeup here.
Eyes for IDORs
From Sam (CoffeeJunkie). IDORs are pretty common in Web Applications, by experience, I cannot relate to this case scenario because I have not catch a IDOR bug, not yet :), but I’m willing to learn and look for it, therefore here it is one writeup that I really like it related to IDORs in a cookie!
IDORs on cookies
So, the attacker saw the following cookie which contained a SESIONID
parameter! The cookie looked something like this:
shoppingID=88ea39539e74fa67c09a4fc0bc8ebe6d00978392PEr9ySESSIONID3552522PXGLkC;
The attacker saw the great chance to change the 7 numbers that follows after SESIONID
which gave him access to different kind of accounts. Therefore, this counts as improper authentication and IDOR on access token.
Full write up here.
Leave a comment