Bug Bounty Report Writing
"IDOR on a Critical Endpoint"
"IDOR on https://example.com/change_password Leads to Account Takeover for All Users"
https://example.com/change_passwordendpoint takes two POST body parameters:
new_password. A POST request to this endpoint would change the password of user
new_password. This endpoint is not validating the
user_idparameter, and as a result, any user can change anyone else's password by manipulating the
Evaluate severity based on CVSS:
- Low severity: open redirect only for phishing
- Medium severity: CSRF on password change
- High severity: open redirect for OAuth
- Critical severity: SQL injection leading to RCE
- 1.Log in to the site and visit
- 2.Click the Change Password button.
- 3.Intercept the request, and change the
user_idparameter to another user's ID.
- 1.Make two accounts on
example.com: account A and account B.
- 2.Log in to
example.comas account A, and visit
- 3.Fill in the desired new password in the New Password field, located at the top left of the page.
- 4.Click the Change Password button located at the top right of the page.
- 5.Intercept the POST request to
https://example.com/change_password** and change theuser_id` POST parameter to the user ID of account B.
- 6.You can now log in to account B by using the new password you've chose.
Include a video, screenshots, or photos documenting your exploit. If there is a payload involved, include the payload as well.
Using this vulnerability, all that an attacker needs in order to change a user's password is their
user_id. Since each user's public profile page lists the account's
user_id, anyone can visit any user's profile, find out their
user_id, and change their password. And because
user_ids are simply sequential numbers, a hacker can even enumerate all the
user_ids and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.
The application should validate the user's
user_idparameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.
Double check that everything is correct.
- Don't assume anything
- Be clear and concise
- Write what you want to read
- Be professional