IDOR Leads to MASS Account Takeover

In most web applications, there is a high prevalence of misconfiguration problems, particularly with regard to authorization. While testing a private program, I noticed the user_id cookie and thought to experiment by altering its value using both Burp Suite and the Chrome extension, EditThisCookie as it was a 6-digit numeric value. Unfortunately, my efforts to impersonate other users were unsuccessful.

Next, I attempted to search for an IDOR vulnerability by altering the cookie in the request. To my surprise, I was successful in this endeavor.

Testing Scenario:

1. I created two test accounts.
2. I initiated the request to change my email but intercepted the request with burp suite.
3. I modified the value of the user_id cookie to match that of my second account’s cookie.
4. Also, Email has to be new, and nonexistent on the server, so I used burp collaborator as my temporary email server, as check@xx.burpcolab.net
5. The request was successful.
6. To gain access to the victim’s account, initiate a forgot password request to your own email, for example check@xx.burpcolab.net
7. Use that forgot password link to change password and takeover victim’s account.

The problem with this attack is that the attacker can not determine whose account to compromise, because there is no way of determining the user id of your victim. So the attacker can cause mass account lock-outs by changing the email of every user on the server by brute-forcing the cookie value.

Hope you have benefitted from this read,
Have a great day!