Open in app

Sign in

Write

Sign in

How I Hacked my university’s Lab Portal and gained access to all accounts :)

SHARAN.K
3 min readJan 6, 2023

--

A tale of IDOR leads to account takeover!!!

I want to share with you how I hacked my college’s website on the first day of 2023.

website: redacted.univ.edu.in

what is IDOR?

This is a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly without any filters.

What is an account takeover vulnerability?

This vulnerability allows the attacker to gain unauthorized and full access to the victim’s account by exploiting the authentication flaw in the application.

Now, let’s look at the bugs.

To help understand better, having IDOR vulnerability means there is a chance of horizontal privilege escalation. Which can help tamper with sensitive information across users.

The website has a login page that contains USERNAME and PASSWORD fields.

Login page

When I tried to log in using my credentials it redirects me to the dashboard page.

Where I can see My account info, Settings, log out, and other pieces of stuff.

Then I opened the settings page, It has my username, Reg num, gender, Dept, mail id, and mobile number.

And also there is one option to change the password…..

Password changing option

Why can't we try IDOR here?

Suddenly opened Burpsuite and intercepted the password change request.

The request :

In the header, there is an Authorization Bearer token. It is authorizing the user. (BUT NOT in password change)

Decoded the JWT Token :

JWT decoding

I changed the values of the data(JWT) and sent the request. Surprisingly

NO ERROR. Successfully changing the password.

The server is checking only if the JWT is present or not but it is not validating it.

The response :

Response

Then I checked each and every parameter in the request. And removed the unwanted parameters.

Final Request

we need only a username, password, and key for the request.

Key — Here key value is “john” for every request.

Exploitation Starts Here :

I entered some other username(friends account)and checked the response was success 200 OK.

And the password is changed for that account.

Account takeover was done successfully !!!

Regards,

SHARAN K

## HAPPY HACKING ##

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Bug Bounty
Jwt Token
Hackin
Bug Bounty Tips
Vulnerability

--

--

SHARAN.K
SHARAN.K

Written by SHARAN.K

72 Followers
11 Following

I am a cybersecurity student in SRM university chennai.

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams