webProeasy

Lab 27 — AdReach — CSRF + IDOR Account Takeover via Profile Update

hackadvisor

Task: advertising campaign management platform with profile update API that uses client-supplied u_id without authorization checks, plus password reset endpoint that leaks tokens in response. Solution: exploit IDOR in /api/profile/update to change admin's email, then abuse password reset token disclosure to take over admin account and access private workspace containing the flag.

$ ls tags/ techniques/

information_disclosure idor csrf broken_access_control account_takeover honeypot_decoy sequential_id password_reset_token_leak profile_update

idor_exploitationsequential_id_enumerationparameter_tamperingdecoy_flag_evasionpassword_reset_abuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]Lab 15 — ProfileHub — IDOR in User Profile API— hackadvisor
[web][Pro]TeamForge — IDOR to Owner Account Takeover via Weak Passwords— hackadvisor
[web][Pro]Lab 7 — TeamForge - Privilege Escalation via Invitation Flow— hackadvisor
[web][Pro]Lab 259 — TalentBridge — IDOR in Employee Profile Endpoints— hackadvisor