You are on page 1of 2

Inbox x

Nikhil Srivastava

<mr.nikhilsrivastava@gmail.com>

3/12/1
4

to developer
Vulnerability Type:
Insecure direct object reference
Url:
secure.helpscout.net
Tool Used:
Burp Interceptor and Repeater
Steps to reproduce:
1. Make two accounts say for e.g. a and b
2. Login with an account a and go to profile section like for
e.g. https://secure.helpscout.net/users/profile/30169/
3. Now click on "Delete Photo" option to delete the profile pic of user a.Intercept the request using burp
Interceptor and send the request to the Burp Repeater. The request header will be like below
DELETE /members/30169/photo.json HTTP/1.1
Host: secure.helpscout.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://secure.helpscout.net/users/profile/30169/
Cookie: some cookies of user 'a'
4. Now logout from user 'a' and login into user 'b'. Go to profile section for
e.g. https://secure.helpscout.net/users/profile/30177/
5. Now click on "Delete Photo" option to delete the profile pic of user b.Intercept the request using burp
Interceptor. The request will be like below
DELETE /members/30177/photo.json HTTP/1.1
Host: secure.helpscout.net
6. Exchange the 'ID' of user b i.e. 30177 to 'ID' of user a i.e. 30169 in the request mentioned in step 5
and forward the request to the server.
7. Now login to user 'a' account, and you will see the profile picture got deleted.
Same way you can perform the above attack by changing the user id of any valid user on this application:
i. go to the repeater mentioned in step 3 and change the userid value in that request to any valid user id
and submit the request.
ii. OR we can take the request to the burp intruder and set the payload to random userid 10000 to 40000 so
that all the user comes in between this lost their photos.

Developer Support

to me

<developer@helpscout.net>

3/13/1
4

Hello there,
Thank you for reporting this security issue to our engineering team. We have received your report and
will reply to this email when the issue has been processed. Please keep the following rules in mind
while we process your report:
1. We are only able to provide a bounty to the first person that discovers and reports the
issue. For this reason, we always process them in the order they are received.
2. To be eligible for a bounty, you must not share any specifics about the issue publicly
or with any third party until we have had the time to process and reply to your request.
Thanks again for your assistance, someone from our team will be in touch soon regarding your report.
-Denny Swindle
developer@helpscout.net
http://developer.helpscout.net/

From: Nikhil Srivastava <mr.nikhilsrivastava@gmail.com>


Date: March 12, 2014 9:06:28 AM EDT
To: Developer Support <developer@helpscout.net>
Subject: Re: responsible disclosure of vulnerability
{#HS:24386335-80173#}

Developer Support

<developer@helpscout.net>

4/8/1
4

to me
Hey Nikhil,
Thanks for reporting that! Unfortunately someone else beat you to it and reported this issue first.
We're only able to provide bounties on the first report of each problem. Sorry about that, but we'd be
happy to take a look at any other submissions you have.
-Ethan Barr
developer@helpscout.net

You might also like