Adobe bug bounty using IDOR, Confidential data leaks

INTRO: Beginner’s Nightmare

This was my first-month doing bug bounty hunting and if you don’t know it already I took up a 6 months challenge. I'm from a network penetration background so I basically sucked in the web apps. In my first month, I spent every day listening to all the good lectures by the bug crowd and reading a ton of books such as OWASP Testing guide. The theory is different from practical and I was basically lost. I decided to leave my pending work and focus deeply. I spent countless hours looking for bugs but everything was to no avail. I found some low-hanging fruits using tools but never reported them. Male Ego I guess. Then comes the light at the end of the tunnel.

The climax:

I visit the document URL, now I find a usual document, nothing interesting but then i looked at the URL, it had document/200, I changed that 200 to 201 but nothing happened so maybe no IDOR? I sent the request to burp>Intruder> use 100–1000 as payload set and fuzz the document/$200$, BOOM! here's the response. But now the question is, are the files really confidential? So turns out yes, not only documents but highly critical internal data is also leaked.

Sorting by length or status code
EXAMPLE OF SUCH

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ravaan

Ravaan

CEH(Practical),Red Teamer/BBHH. Have hacked Governments to fortune 500 companies/UN. Hunt of CVEs occasionally with my team.CVE-2022-30076. Bookworm