IDOR Exploitation via HPP – API hacking case study

During a recent penetration test for a major online retailer, we evaluated their customer API, which had undergone previous security assessments. As expected, there were no obvious vulnerabilities such as XSS or SQL injections, and an automated scan with Burp Suite revealed no high or critical issues. To uncover deeper security flaws, we initially tested for Insecure Direct Object References (IDOR) by manipulating IDs, but these attempts didn’t yield results. Ultimately, we discovered a critical vulnerability through IDOR exploitation via HPP (HTTP Parameter Pollution). This case study underscores the importance of creative testing approaches in uncovering hidden risks even in well-audited environments.

NOTE: We found the vulnerability discussed herein within a major organization. We had to redact images to uphold confidentiality agreements and protect sensitive information.

Bypassing ACLs – IDOR exploitation via HPP

This API had some very interesting endpoints as you’d expect. What stood up to us was the fact that the design was a bit awkward. For example, in order to fetch the details of the current logged in user, you need to pass the current customer id as a path parameter in the url. Why do this in the first place? Why not take the id from the session or from the (signed & verified) JWT token? Anyway, this looks like a great target for an IDOR/BOLA issue, doesn’t it?

As you’d expect, we tried to increment/decrement the customer id in the URL, but no luck. The next idea we had, was shall we try and HPP attack, to see what happens? HPP essentially means adding another parameter with the same name as an existing parameter, in this case the customer id. But how shall we name this parameter? We need to to guess the name exactly! So, we had a look at the JSON response and we saw the “customerId” key. Developers are in general pretty consistent, so let’s add a new parameter called customerId as a GET parameter and check what happens. Below you can see how we’ve exploited the /customers/<<customer_id>> endpoint to steal PII of another customer by simply adding a GET parameter with the name customerid and a random integer value.

Gett Customer API endpoint - IDOR exploited via HPP to steal PII of another customer

This was a systemic issue that affected the entire API, not just one endpoint. Bellow you can see how we exploited the /addresses/<<customerid>> endpoint to leak all the registered addresses of any customer.

Bypassing the Fix

It goes without saying, that our initial discovery caused a lot of panic and people jumped on it and remediated the issue asap. Once a fix was in pace, we started looking for a way to bypass it. What we found was that out of the many API endpoints that were vulnerable to our previous exploit, there was one where we could bypass the fix by moving the GET parameter to POST. Probably because multiple teams have worked on this API and they used a different tech stack. Also luckily, this bypass did not seem as critical as we have obtained only limited information, no PII leak this time. In this case we were getting back some information about the return orders of some arbitrary client. However, their internal decision was to also treat this as critical and fixed promptly.

Conclusion

In our latest API hacking case study, we identified a critical IDOR vulnerability within a major e-commerce platform, previously overlooked despite numerous pentests. This IDOR exploitation via HPP (HTTP Parameter Pollution) could lead to significant exposure of personal information. The discovery underlines the importance of detailed manual testing techniques, which can uncover hidden vulnerabilities that automated tools might miss.

Explore Our API Penetration Testing Services

As we continually advance our tools and techniques for effective mobile app security testing, we invite you to discover our API pentesting services. Tailored to equip security professionals with cutting-edge defenses against evolving threats, our services are designed to fortify your mobile & API applications. Dive into the latest and most effective security strategies with our expertly crafted solutions. For more detailed information about our offerings or to discuss customized penetration testing strategies with our team, please visit our services page or contact us today.

About Post Author