Day 32/100 Hack and Improvement

Day 32 comes with a new month and goals from Sam (CoffeeJunkie), and Rajesh Ranjan. One of the goals is to submit 3 vulnerabilities a week, to start that’s the goals of the week, let’s see how it goes. Besides that some Information Disclosure and RXSS and IDORs on cookies.

Information Disclosure and RXSS

Rajesh Ranjan. I check this writeup today, and I learnt that, how a researcher was able to find a RXSS. Checkout the writeup here.

Eyes for IDORs

From Sam (CoffeeJunkie). IDORs are pretty common in Web Applications, by experience, I cannot relate to this case scenario because I have not catch a IDOR bug, not yet :), but I’m willing to learn and look for it, therefore here it is one writeup that I really like it related to IDORs in a cookie!

IDORs on cookies

So, the attacker saw the following cookie which contained a SESIONID parameter! The cookie looked something like this:

shoppingID=88ea39539e74fa67c09a4fc0bc8ebe6d00978392PEr9ySESSIONID3552522PXGLkC;

The attacker saw the great chance to change the 7 numbers that follows after SESIONID which gave him access to different kind of accounts. Therefore, this counts as improper authentication and IDOR on access token.

Full write up here.