Hola everyone,,, today’s write-up about IDOR that allows me Get Email & Password all user dominos
So, what is IDOR?
OWASP Top 10 explained: IDOR (Insecure Direct Object Reference) is a common vulnerability that occurs when a reference to an internal implementation object is exposed without any other access control. The vulnerability is often easy to discover and allows attackers to access unauthorized data.
I Can Find Out Email & Password Just by Changing “Customer_id”
Reproduce :
- Open Apps DOMINOS , And You Can Register / Login Account
- GoTo Setting / Manage Account
- Capture/Intercept Request I’am Using Burp Suite
- Change Customer_id , And Do Intercept -> Response To This Request
- And You Can See Email & Password
Timeline
Initial Report : 3 May 2020
Dominos : Reproduced/Sent to Product Team 4 May 2020
Fixed 11 May 2020
Thanks for reading . Happy Hunting .