A 7500$ Google sites IDOR

Hi,

My name is Jalal aka r0ckin and this is my first blog post and it is about a vulnerability that I’ve discovered on Google sites.

What is Insecure Direct Object Reference(IDOR):

According to OWASP, An Idor vulnerability can permit you to view or edit someone else’s account by providing its unique identifier and it is an access control bug.

Broken Access Control has taken the first rank on OWASP top-10-2021.

now let’s move straightforward on how did I found this bug.

Mapping the application

So the first that I’ve done is to map the application:

After configuring my browser with my favorite intercepting proxy burp suite, I configured the scope under the proxy tap to include “sites.google.com” and I started mapping out the application, This was done by first exploring visible content and then browsing the entire application, visiting every link and submitting every form.

Analyzing the application

So after reviewing the sitemap i found this request

After few tries on fuzzing for other bugs with no success, I decided to hunt for idors, So i created a second account that is identified by tomasideasontesting, And from the site map I replaced every catherinerecipespersonal by tomasideasontesting and I reviewed the response to see if it succeeded or not.

Results

So after trying to find idors, the other requests had no success because access controls measures had been taken. But on the service=ListScripts i got an 200 ok response with a private identifer for tomasideasontesting scripts!

Final thoughts

I think that endpoint was vulnerable because it was connected with other google service(script.google.com) so the developers did not pay attention to it.

Video

Thanks for reading

To: r0ckin <r0ckinxj3@hotmail.com>

https://twitter.com/r0ckin_

One thought on “ A 7500$ Google sites IDOR

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: