My Bug Hunting Journey with IDORs Part 1
Hi, Bug hunters, In this write-up, I want to share my story, how I accidentally became a bug-hunter. It’s all about my journey how I started. I want to tell you that I am not good at English, I apologise, if I do any mistakes in the write-up.
It was the last year of my college and I was renewing my scholarship form through my friend’s laptop. when I was updating my contact no or other details, I have noticed some encoded text on the URL.
That time I have no idea what was that, so I immediately search on Google and found a tool called hash analyzer.
I used that tool to identify that encoded text and found it was base64 encode, I found a tool called the Base64 decoder to convert in text.
After converting that Base64 encode Characters, I found a number that was my application id, I was very curious to know that what will happen if changed my application id into my friend application id. I thought to reverse the whole process.
I converted my friend application id into base64 and put them into URL and hit enter. I was able to access or update my friend’s contact, bank accounts details and other things.
I was also able to access and upload other user’s documents, like previous year mark-sheet and bank passbook.
I was curious to know that application behaviour. I search on Google and found many blogs and videos, I was accidentally found an issue which is called Insecure Direct Object References (IDOR). I contacted the scholarship department and they fixed this issue within 24 hours after reporting.
