Accidental IDOR in eLearnSecurity to Knowing Your Address and Cert You Bought.

 

Greetings, my amazing hacker buddies! Anugrah Here is back with another blog. Today I will share how I accidentally found a simple IDOR in the Elearnsecurity website which disclosed the user's Personal Information.

What is IDOR?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the 2007 edition of OWASP Top Ten. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation. IDORs are observed widely and easy to spot.

TLDR;

Let's dive in!

One fine day I was going through the infosec twitter passively and sipping my coffee. Suddenly I got a WhatsApp notification from an infosec friend! He wanted some help in purchasing his Elearnsecurity certification. He didn’t have an international transaction enabled credit card. I said yes and proceeded to help him achieve his goals. 

I went to elearnsecurity.com and selected eJPT, BTW it’s a great certification! Likewise, I would totally recommend it if you are a beginner trying to get into a pentester role. Proceeded to checkout and after translation, the page went blank. I was terrified if I messed up.


Looking back at the URL from burp history and tweaking a bit, I got something like this

https://elearnsecurity.com/checkout/order-received/20080/?key=wc_order_XmcAZFYb6llmi&pdfid=20080

Visiting the URL, the Invoice was downloaded! Deep breath! Now that the primary job of cert purchase was done, I had some time to satisfy my curiosity. By this time, if you are a curious hacker like me, you would know what I might have done next.

Yes! If you thought of changing the PDF ID, then you are right! High-Five! When I changed the ID, nothing really happened.



Then I saw there is one more numerical value that can be changed. I tried changing that! https://elearnsecurity.com/checkout/order-received/20081/?key=wc_order_XmcAZFYb6llmi&pdfid=20081 To my surprise I was able to get the invoice of some other person, his billing address was also mentioned on the invoice.


https://elearnsecurity.com/checkout/order-received/<ID>/?key=wc_order_XmcAZFYb6llmi&pdfid=<ID>
Testing out a couple of more IDs, I decided to report it to INE, as they are the parent company of Elearnsecurity. They didn’t had a responsible disclosure policy at that point of time, after getting connected with their team over twitter, they made a RDP page  and I submitted the issue there. That’s it!

If you enjoyed reading the article follow on Twitter:
https://twitter.com/cyph3r_asr and Subscribe to my newsletter for weekly infosec Updates: https://www.getrevue.co/profile/anugrahsr

2 Comments

Post a Comment

Previous Post Next Post