MY first P2- Vulnerability IDOR (Insecure Direct Object References)

3 min readJun 1, 2023

Hello folks!
My name is Abdelhy khaled, I am Security Researcher & Bug Bounty Hunter .I found an IDOR on ticket support which allows me to view any ticket submitted to the support team by the User .
So, before going into deep let’s have a look what is IDOR?

What is IDOR?

Insecure Direct Object References (IDOR) occur when an application exposes direct references to internal implementation objects, such as files, database records, or URLs.
It allows an attacker to bypass authorization and access resources that they should not have permission to view or modify.
Essentially, it enables unauthorized access to sensitive data by manipulating object references.

Understanding the Impact:

The impact of an IDOR vulnerability can be far-reaching. It can compromise the confidentiality, integrity, and availability of sensitive information.
By exploiting IDOR, an attacker may gain access to user data, personal records, financial information, or even administrative controls.
The consequences of such unauthorized access can be disastrous for individuals, businesses, and even national security.

Let’s start the journey

Methodology

I always enjoy spending time on manual discovery, rather than relying on automatic scanning. By analyzing the functionality of the target, I gain a better understanding of how it works. This approach is what sets great hackers apart, as it enables them to make significant discoveries. With this knowledge, one can uncover some great catches.

After working on the target for a few days and examining the name of the program, which was listed as “redacted.com”, I discovered that it was possible to create a support ticket to contact their support team. Curious to see if this feature was vulnerable, I quickly created a support ticket and found that it was stored at a specific endpoint:

https://redacted.com/v2/my-support/ticket/696227

Here are some points to keep in mind:

Can you find IDs that arent incremental? Sometimes an ID can be found by visiting a page or an asset.
Is the ID encoded or not in plaintext?
Can a ticket be accessed directly from the url, without needing prior authentication?

At the same time, while I was checking for Stored XSS on their ticket support chat portal, I logged in and submitted a ticket with an XSS payload. However, it was filtered by the system. Subsequently, I received the ticket ID 696227 to chat with support regarding the submitted issue. While the ticket ID caught my attention, I decided to change the number 192564 to a random number. Guess what happened next?

BOOoOM!!

I was able to see any user ticket support chat :)