Real world report PoCs

You can read these real world IDOR PoCs to better understand how the bug is exploited in the real world scenarios

• DOB disclosed using “Facebook Graph API Reverse Engineering” by Raja Sekar Durairaj

• Change the description of a video without publish_actions permission in Facebook by phwd

• Response To Request Injection (RTRI) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author!

• Leak of all project names and all user names , even across applications on Harvest by Edgar Boda-Majer (eboda)

• Changing paymentProfileUuid when booking a trip allows free rides at Uber by Matthew Temmy (temmyscript)

• View private tweet

• Uber Enum UUID

• Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User by Stephen Sclafani

• Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions by Stephen Sclafani

• Delete FB Video

• Delete FB Video

• Facebook Page Takeover by Manipulating the Parameter by arunsureshkumar

• Viewing private Airbnb Messages

• IDOR tweet as any user by kedrisec

• Classic IDOR endpoints in Twitter

• Mass Assignment, Response to Request Injection, Admin Escalation by sean

• Trello bug bounty: The websocket receives data when a public company creates a team visible board by Florian Courtial

• Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility by Florian Courtial

• Change any user’s password in Uber by mongo

• Vulnerability in Youtube allowed moving comments from any video to another by secgeek

  • It’s Google Vulnerability, so it’s worth reading, as generally it is more difficult to find Google vulnerability

• Twitter Vulnerability Could Credit Cards from Any Twitter Account by secgeek

• One Vulnerability allowed deleting comments of any user in all Yahoo sites by secgeek

• Microsoft-careers.com Remote Password Reset by Yaaser Ali

• How I could change your eBay password by Yaaser Ali

• Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication by Duo Labs

• Hacking Facebook.com/thanks Posting on behalf of your friends! by Anand Prakash

• How I got access to millions of [redacted] accounts

• All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description by Enguerran Gillier (opnsec)

• Urgent: attacker can access every data source on Bime by Jobert Abma (jobert)

• Downloading password protected / restricted videos on Vimeo by Gazza (gazza)

• Get organization info base on uuid in Uber by Severus (severus)

• How I Exposed your Primary Facebook Email Address (Bug worth $4500) by Roy Castillo

Reference: https://whoami.securitybreached.org/2019/06/03/guide-getting-started-in-bug-bounty-hunting/