A simple IDOR worth $400.

elcezeri
2 min readJun 2, 2024

--

In this blog post, I will tell you about my simple but effective story of finding the IDOR vulnerability.

Domain:target.com

First of all, I want to talk about the program. The target program was a shopping website. It was a little difficult to decide to hunt in this program that has been active for about 2 years. I was afraid of duplicate, but I opened the target program and started browsing the target site for about 1–2 hours. I was trying to understand the logic of the website and collecting requests. I focused on this program for a day or two, but I didn’t find anything.

When there is a shopping site, I first try to order that product for free, etc. I try bussiness logics. I have tried many things here and none of them worked.

I purchased the product and while the product was in the preparation phase, I canceled the product and wanted to return it. I then caught the request. The request link looks like this:

https://www.tagert.com/return/rorderID=1123.

Yes, as you guessed, I quickly replaced it with numbers like 1122,1121 and accessed the return page of other users.

https://www.tagert.com/return/rorderID=1122

https://www.tagert.com/return/rorderID=1121

This page did not show PII information about the user, but there was an option to cancel the refund. I could cancel other users’ refund requests by changing their ID number.

I sent the report. 1 day later the report was accepted and I was awarded $400. Sometimes these endpoints can be overlooked on shopping sites. You have to make sure you test every function.

The product I wanted to buy was a black hat, but we must be a hacker with a white hat :)

For suggestions or questions, you can contact me at my linkedln address.

Good reading for everyone, stay healthy.

--

--