IDOR to information disclosure + Admin Account Takeover

3 min readJul 13, 2021

Hi everyone,

I am Aditya Shende (Kong) from India. Bounty Hunter , Biker and Researcher.

This is my 3rd article , If you found any spell error. Let it be…..

What is IDOR ?

Entity names are used to identify application-controlled resources that are supplied in URLs or request parameters in a Direct Object Reference web application design method.

Lets get started…..

As normal user I tested all function including update, delete, download, make post public and private etc . Found many bugs but this one is interesting as I think . Viewing profile function was my first shot and POST parameters are second . Endpoint : POST /Profile . See the screenshot below

So basically it was disclosing enough information , I tried for my self . Now playing with username parameter was good shot where I put another username number got his information including home address , role, number , access level etc.

IMPORTANT: “_id” parameter leads to account takeover

On profile section reset password function was there so evil mind comes up

If I know _id of any user then I can reset his/her password. I tried the same what I thought and it was working fine , So how I did it. POST request containing _id and password , I replace my id to another user encrypted id and forwarded request

After passing this request , Response was 200 OK and all we know JSON context params have default responses like : true , verified , error, success etc. Mine one came up with “true”

So I tried to access that user account with user username and password which I set and it was working and leads to ATO of admin. I have multiple privileges that normal user cant access

And again I got multiple different functions to test . On that site I found more than 20 vulnerabilities.

Thanks for reading , Jai hind




#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker