An unreferenced parameter that may have been useful during testing but was pushed to production
irstly you’ll need to log in. To do this, click on the customer’s section and create an account. Once logged in, click on the Your Account tab.
The Your Account section gives you the ability to change your information such as username, email address and password. You’ll notice the username and email fields pre-filled in with your information.
We’ll start by investigating how this information gets pre-filled. If you open your browser developer tools, select the network tab and then refresh the page, you’ll see a call to an endpoint with the path /api/v1/customer?id=.
This page returns in JSON format your user id, username and email address. We can see from the path that the user information shown is taken from the query string’s id parameter (see below image).
First off — Set up an account to simulate having a customer account with “Acme IT Support.”
Next — Go to “Your Account” and observe that all of the information has already been provided beforehand, which is something to take note of because it makes us curious how and what mechanism has provided all of this information.
Then, if you’re using Firefox, “Right Click” and select “Inspect.”
Go to the “Network” section and you’ll discover that it’s empty because it is required to be refreshed in order to retrieve the information.After refreshing the page, all of this information will appear, and it is useful to understand how all of this information is retrieved by looking at the “File” column.Having discovered that “customer/?id=51” appears to be the one we are looking for, and by hovering the cursor over it, we will be able to read the complete string of it in order to understand what the endpoint actually and so on
Change the value of the new request to “1,” and that the results of the username and email have been altered.
Again the the vaule into 3 and that the results of the username and email have been altered.
The IDOR room is a great way to learn how ID numbers can be easily changed, leading to a serious security risk. Many companies and individuals may not even realize they are vulnerable to such attacks.
Even though developers should have fixed this issue, human error can leave systems exposed, allowing attackers to exploit them.
In reality, this is likely one of the common techniques attackers us
