My name is Jalal aka r0ckin and this is my first blog post and it is about a vulnerability that I’ve discovered on Google sites.
What is Insecure Direct Object Reference(IDOR):
According to OWASP, An Idor vulnerability can permit you to view or edit someone else’s account by providing its unique identifier and it is an access control bug.
Broken Access Control has taken the first rank on OWASP top-10-2021.
now let’s move straightforward on how did I found this bug.
Mapping the application
So the first that I’ve done is to map the application:
After configuring my browser with my favorite intercepting proxy burp suite, I configured the scope under the proxy tap to include “sites.google.com” and I started mapping out the application, This was done by first exploring visible content and then browsing the entire application, visiting every link and submitting every form.
Analyzing the application
So after reviewing the sitemap i found this request
After few tries on fuzzing for other bugs with no success, I decided to hunt for idors, So i created a second account that is identified by tomasideasontesting, And from the site map I replaced every catherinerecipespersonal by tomasideasontesting and I reviewed the response to see if it succeeded or not.
So after trying to find idors, the other requests had no success because access controls measures had been taken. But on the service=ListScripts i got an 200 ok response with a private identifer for tomasideasontesting scripts!
I think that endpoint was vulnerable because it was connected with other google service(script.google.com) so the developers did not pay attention to it.
Thanks for reading
To: r0ckin <email@example.com>