My Bug Hunting Journey with IDORs Part 1

Image for post
Image for post

Hi, Bug hunters, In this write-up, I will tell you how I accidentally became a bug-hunter. It’s all about my journey how I started. I want to tell you that I am not good at English, I apologize if I do any mistakes in the write-up.

It was the last year of my college and I was renewing my scholarship form through my friend’s laptop. when I was updating my contact no or other details, I have noticed some encoded text on the URL.

Image for post
Image for post

That time I have no idea what was that, so I immediately search on Google and found a tool called hash analyzer.

Image for post
Image for post

I used that tool to identify that encoded text and found it was base64 encode, I found a tool called the Base64 decoder to convert in text.

Image for post
Image for post

After converting that Base64 encode Characters, I found a number that was my application id, I was very curious to know that what will happen if changed my application id into my friend application id. I thought to reverse the whole process.

I converted my friend application id into base64 and put them in URL and hit enter.

Image for post
Image for post

I was able to access or update my friend's contact, bank accounts details,

I was curious to know that application behavior. I search on Google and found many blogs and videos, I was accidentally found an issue which is called Insecure Direct Object References (IDOR). I contacted the scholarship department and tell them the whole thing.

Security Researcher | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store