Start With name of Allah, The Most Gracious and The Most Merciful.
Hello Guys,
This is my second writeup at medium. In this writeup I show you how I able to see, edit and delete the cart of other users using IDOR (Insecure direct object references).
So again the website name is vulnerable.com(cant disclose).
vulnerable.com is website where we can buy domains like GoDaddy. so it consist some features like login, purchase and add to cart functionalities.
Start with automation, tried subdomain enumeration, dir fuzzing and network scan etc. but could not find anything vulnerable. so going with manual approach checked each parameter, tried to enter payloads in fields, used google-git dorks, signup etc.
after signup I have searched for some stuffs and added it to cart(website functionality). I have noticed that cookie named cartId set when the user first time add something to his cart. cartId cookie consists a hax value as cartId.
So then i have created another user and check the cookie, it also consist some hax value as other users. each cartId is different from others.
above is image of cart of second user, it is empty.
I simply copied the first user cartId into other user’s cart id as cookie. Then refreshed the page and got the content of cart of first user. I can easily see, edit and delete the content of the cart at one request.
Here cartId cookie parameter is vulnerable because server doesn't validate other cookie parameter to chech the cart is belongs to the owner or not.
Conclusion :- Always check all parameter and focus on each changes made before and after the request.
Thanks you so much for reading.
Hope you learn something from it.