Day 32 comes with a new month and goals from Sam (CoffeeJunkie), and Rajesh Ranjan. One of the goals is to submit 3 vulnerabilities a week, to start that’s the goals of the week, let’s see how it goes. Besides that some Information Disclosure and RXSS and IDORs on cookies.
Information Disclosure and RXSS
Eyes for IDORs
From Sam (CoffeeJunkie). IDORs are pretty common in Web Applications, by experience, I cannot relate to this case scenario because I have not catch a IDOR bug, not yet :), but I’m willing to learn and look for it, therefore here it is one writeup that I really like it related to IDORs in a cookie!
IDORs on cookies
So, the attacker saw the following cookie which contained a
SESIONID parameter! The cookie looked something like this:
The attacker saw the great chance to change the 7 numbers that follows after
SESIONID which gave him access to different kind of accounts. Therefore, this counts as improper authentication and IDOR on access token.
Full write up here.