Tail of IDOR

What is IDOR?

when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as


This site has an export function where user can export all the details of his/her expenses

1: select a time period eg: 02/06/2020 to 02/07/2020

2: click on export

3: select output format option: TXT,HTML,PDF

4: click on output format option and a link will be generated

5: click save done


first thing first this site is using graphql. What is graphql? GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data.

HTTP request

POST /v1/graphql HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
content-type: application/json
authorization: Basic 
Content-Length: 1104
DNT: 1
Connection: close

{"operationName":"ExportTranV3","variables":{"input":{"format":"PDF","displayTime":"2020-05-29T12:50:24.595Z","statementEntriesFilters":"{\"and\":[{\"greater_or_equal_than\":{\"field\":\"posted_at\",\"value\":\"2020-05-04T00:00:00.000000Z\"}},{\"lesser_or_equal_than\":{\"field\":\"posted_at\",\"value\":\"2020-05-23T23:59:59.999999Z\"}},{\"not\":[{\"exists\":{\"field\":\"transaction_operation.transaction.receipts\"}}]},{\"not\":[{\"exists\":{\"field\":\"transaction_operation.transaction.memo\"}}]},{\"full_text\":{\"match\":{\"fields\":\"*\",\"value\":\"\"}}},{\"or\":[]},{\"or\":[]},{\"or\":[{\"equal\":{\"field\":\"\",\"value\":\"randomvalue+encodeded+base64\"}}]},{\"or\":[]},{\"or\":[]},{\"or\":[]}]}","clientMutationId":""}},"query":"mutation ExportTran($input: CreateStatementEntriesSearchReportInput!) {\n  createStatementEntriesSearchReport(input: $input) {\n    report {\n      file {\n        id\n        downloadUrl\n        __typename\n      }\n      format\n      type\n      __typename\n    }\n    __typename\n  }\n}\n"}

so if you see the graphql request it is taking in a base64 encoded format. I create one more account and decoded both the values from 1st and 2nd account and found that some values to be constant


and also I have found that there is no rate limit on this site so the next thing is to generate a wordlist in this format constant_value+random_value+constant_value+random_value and encode it to base64.

Loaded word-list to the intruder and extracted links to PDFs of other expenses.

at the end accepted as P3

Graphql + based64_value + no_rate_limit = $300 bounty

Leave a Reply

Your email address will not be published. Required fields are marked *