Beginner question here - I’ve been hunting for IDORs using the BurpSuite add-on Autorize. I started by creating two accounts for the website I’m targeting. I logged in to both accounts and took the cookie from account 2 and pasted it into Autorize as a temporary header. Then after some poking around using account 1, I found that when I uploaded a file on this website (more specifically I uploaded a file to my user profile where only the logged in user should be able to upload), it uploaded 3 files - one from my original POST request (account #1), one from the modified request (account #1 with account #2’s cookie), and the unauthenticated request.
From my base level of understanding, it seems as though I may have found an IDOR. My problem is I am not sure what my next steps should be. Are the file uploads proof of a bug in this case? Or do I need to further validate this? If so, what can I do to validate?
Any help would be much appreciated!
I think I understand what you described, because I noticed similar scenarios on other applications.
What you want to confirm first, it is that the request to upload a file is sent to the application in scope or if it is sent to s3.amazonaws.com or other service. Also, what happens after you upload the file?
There would be an IDOR if you can upload a file to the profile of other user. I think it’s not the case here, from what I understand. But please, share more details to understand better.
Hi @stefanofinding, to be more specific, this website is a job board site. In the scenario I described, the file I am uploading is a resume and I am in fact uploading it to the profile of account #1. In this case all three POST requests were able to successfully upload a resume to account #1’s profile (so now there are 3 duplicate resumes on the profile). Does that clarify?
Thanks @knarf1234. I think you found a bug. So, I would report it. But try to be very specific and clear about what you did and what happened. For instance, let’s say you can change my profile photo on this forum from your account, you should make that clear and describe how you achieve it. It’s not very clear for me exactly what you found, but it’s probably because I’m missing some specific details that can’t be disclosed. So, make sure to include those in the report.