QueryWho - IDOR
OSCP · OSWP · PWPP · PWPA · PAPA · EnCE · Linux+ · LPIC-1 · Network+ · Security+ · Pentest+ · eJPT · eWPT · BSc · PGCert
QueryWho - IDOR
Platform: Webverse
Target: https://98115216-3953-querywho-36dff.events.webverselabs-pro.com/
Vulnerability class(es): IDOR
Immediately upon loading the webapp, I saw an org id which stood out. I continued looking around the app but nothing whatsoever was standing out. Nothing was clickable. All I had was the org id and that it was the org I belonged to.
Clicking around revealed a new cookie was assigned to me with the id of 55:
A short while ago, I made an intruder copy for burp community so I could fuzz without restrictions. I sent the request over there and wrapped the target:
I initially did many more requests than this, but it turned out that org id 1 was simply the one we needed.
My extension allows you to perform a real-time search for matching text, so I searched "WEBV" for the beginnings of a flag:
Now I had a hit.
This was a simple IDOR vulnerability and despite the app looking complex, there wasn't much functionality, so finding this was the most logical thing. Although admittedly, I still managed to go down rabbit holes.
🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺
