How I found an IDOR in my college ERP system 😉

Let me start with a “disclaimer” :P I am not a bug bounty hunter and I tend to align myself more towards pentetration testing and reverse-engineering so oppurtunites like these are rare for me and yeah and I did enjoy this experience and I hope you do too :)

What is an IDOR

— — — — — — — — — —

IDOR or Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input.As a result attackers can bypass authorization and access resources in the system directly.

Example of an IDOR

Discovery

— — — — — —

One day I decided to download the provisional fee receipt issued by our college. Now those of you who are unaware our college uses an ERP (enterprise resource planning) system to manage non-academic tasks.

erp.iiita.ac.in

When I clicked on “print recipt” something like this opened up…

My provisional fee receipt

Now as soon as I saw this URL and the corresponding Ref.No, I was curious so I decided to play with it 🤔

My fee receipt pdf → https://erp.iiita.ac.in/popup/fna/report/receipt/141/5

Target fee receipt pdf → https://erp.iiita.ac.in/popup/fna/report/receipt/142/5

I decided to change the url and make 141 → 142 and viola I was in 😱

Someone’s else’s provisional fee receipt

If you are thinking this is the end to it you are mistaken 😉

I had a strange hunch and I decided to pursue it. I opened up an incognito window and browsed to the same URL(no authorization cookies stored) and again I was in 🤯

Target fee receipt (incoginto)→ https://erp.iiita.ac.in/popup/fna/report/receipt/142/5

That means anyone can extract personally identifiable information for any other user absolutely with zero authentication with only knowledge of the URL 😢

Impact

— — — — —

Now a provisional fee receipt pdf contains sensitive information among which student signature and official stamp which should be regarded confidential.

Personally Identifiable Information

Reporting

— — — — — —

My first point of contact was my college professor who advised me to draft a formal mail

Reporting

Within minutes I drafted a formal mail after completing the formalities…

Report

Fix and Reward

— — — — — — — — —

I will be honest here I have reported few bugs in the past and the response time is usually quite high but this was an exception. 😮

It was really amazing to see how after a few mail exchanges this issue was quickly escalated, brought to proper attention and resolved in a swift ~5 hr span which is exceptionally fast o_O

It’s fixed now so no use trying :P

fixed

Well happiness does not always lie in the monetary side of things 🤗 As a reward I did receive some kind words 😄 and an “official” permission to pentest the ERP system 😏

reward

Although this entire experience was in itself an “adventure” for me since I was not sure how well it would be accepted but then it was ez 😋

thank you

*** You just read frostbite. Hope you enjoyed the article and suggestions are always welcome :)