Adobe bug bounty using IDOR, Confidential data leaks

3 min readMar 18, 2022


Hey, amazing hackers. So I hacked Adobe, and here’s exactly how I did it. Let this be a lesson to the beginner bug bounty enthusiasts who are looking for good bugs. I'll tell you what you need to do to find bugs and where to find them.

INTRO: Beginner’s Nightmare

This was my first-month doing bug bounty hunting and if you don’t know it already I took up a 6 months challenge. I'm from a network penetration background so I basically sucked in the web apps. In my first month, I spent every day listening to all the good lectures by the bug crowd and reading a ton of books such as OWASP Testing guide. The theory is different from practical and I was basically lost. I decided to leave my pending work and focus deeply. I spent countless hours looking for bugs but everything was to no avail. I found some low-hanging fruits using tools but never reported them. Male Ego I guess. Then comes the light at the end of the tunnel.


I took up the challenge to hack adobe and yeah it was hella secure, everything was neatly wrapped under WAF and i was always getting blocked. I decided to focus to slight manipulation techniques such as IDORs so i started gathering every single parameter. How?

Gauplus, gauplus is basically Gau on drugs, its faster, more stable and easier to use.

Firstly I collected all the domains and using subdomain enumeration, from my previous blog, I sorted them into a text file adobe.txt Using gau i now collect every single parameter and endpoint, I like to exclude images and other stuff but you can add it.

cat adobe.txt | gauplus — subs -b png,jpg,gif,jpeg,swf,woff -o adobeurl.txt

Now I use my httpx to check which URLs are live, this is optional

cat adobeurl.txt | httpx -mc 200 >> finalurls.txt

Finally, we have a beautiful list of URLs with parameters to choose from.

I grep through various stuff such as id= and confidential, secret, employee but this time i went through a URL called document which is normally usual.

The climax:

I visit the document URL, now I find a usual document, nothing interesting but then i looked at the URL, it had document/200, I changed that 200 to 201 but nothing happened so maybe no IDOR? I sent the request to burp>Intruder> use 100–1000 as payload set and fuzz the document/$200$, BOOM! here's the response. But now the question is, are the files really confidential? So turns out yes, not only documents but highly critical internal data is also leaked.

Sorting by length or status code

Reported it 3 months ago, it got a medium 5.3 severity and got fixed today so I'm extremely happy.


Understand the application


PS: I don’t write to show off but to teach so no mentions of the bounty will be entertained. The motive of a learner is to learn and these days hackers are getting distracted. Keep shining. PEACE- RAVAAN




CEH(Practical),Red Teamer/BBHH. APPLE HOF ADOBE HOF, Governments to fortune 500 companies, UN. Reaseacher/Exploit Dev. CVE-2022-30076. Bookworm.