Modest Payouts, Major Payoff: 4 IDORs That Netted $12K

Insecure direct object references (DOR) are a common software vulnerability where an application reveals internal object IDs, which attackers can then use enumerate, and gain access to data that they should not be authorised to use.
This post outlines four different types of IDOR discovered by the author in a private programme, all of which earned them a $3,000 bounty each.
The first related to a lack of authentication set up for the Amazon S3 storage system, meaning that all a person had to do to obtain personally identifiable information (PII) data on attendees was guess the ID number relating to the event.
The second involved the creation of subevents which then sat alongside the main event on the platform, siphoning all ticket and registration revenue to the attacker.
The third involved the injection of arbitrary questions into the ticket purchase pathway for an event, which could be used to harass attendees, block sales or damage the brand of the event.
The final one allowed the attacker to harvest the emails of all the platform’s users.
The post ends with a set of tips for discovering DORs and increasing your bounty.

Fast Feed