Account Takeover Using A Simple Idor ~~ easy win

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. IDOR is an easy to hunt bug but sometimes we missed it due to its simplicity. Generally, IDORS may arise in the URL where you change the parameter value and bypass the server-side check.

Today I am going to tell my story how I found IDOR and which leads to
account takeover.
In this, we will discuss the following
*IDOR
*Critical bug ~ easy win

I was searching for an easy bug-like rate-limiting or tokens in URL. when I opened the burp I saw that the cookie is passing a parameter name user, this looks a little wired to me then I ignored it and moved forward. when I checked 3–4 functionalities i saw that the same Userid is passing in each request in the every post body. Suddenly a thought strikes in my mind about its password reset functionality that may be the same thing is happening with the password-reset function too. I went to that functionality, I found that this site first checks the authenticity and then sends a URL to the user’s email.it was quite convincing that this is secure.

I moved to another functionality .at the end I check the URL which was sent on my email, I think that maybe i can find something juicy in URL but no luck there was nothing in my hand with that URL then I finally submit the URL and changed my password. Suddenly **I saw that the password changing request was having a USERID parameter**. At this instant, I tried to change with other users’ id and boom! password change.

It was simple, which was leading to account takeover.i reported it,it got trized in p1.

Takeaways
Always tried up to end don’t loose hope, keep digging, and happy hacking.