Simple IDOR With Critical Impact
Updated: May 21, 2022
I have a friend who studied in a popular academic institution. I happened to be in his house and I said why not "look" at their website real quick? They had this new area on the website where all the personal information exists.
It really took only a couple of minutes to find a *very* critical IDOR (authorization bypass) issue. The issue was that it was possible to (probably) retrieve all the grade chart which contains all of the grades and other personal information of all the students.
For those unfamiliar with the term IDOR (Insecure Direct Object Reference), it is a vulnerability that allows to refer and access an object that should not be authorized to the user.
Sorry in advance for the massive redaction and lack of evidence, I do not want to cause any problems for my friend.
After asking for the grade chart, a POST request was sent and in its body, there was this suspicious parameter (which I am not sure if it is the grade chart ID, the student ID or something else. I did not delve into this).
I edited the "ptMsl" parameter's value, which of course was a sequential value (which is a problem by itself) and sent the request.
After that, there was a request or more that contained some unique identifiers (that originated from the malformed request) and then I saw a grade chart of another person.
An attacker could automate it to probably retrieve all of the students' grade charts, which is *very* bad for the institution's reputation (in addition to the fact that students' data were exposed).
I am publishing it after I verified it was fixed, but the fact this absurd issue exited (and for a long time), it is not hard for me to believe there are more issues like this on the website.
Secure development training is very important for websites that contain sensitive data.