diff --git a/src/pentesting-web/idor.md b/src/pentesting-web/idor.md index 2c1ea0a7957..76c002acf91 100644 --- a/src/pentesting-web/idor.md +++ b/src/pentesting-web/idor.md @@ -94,6 +94,34 @@ curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \ Combined with **default admin credentials** (`123456:123456`) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach. +### Case Study – Wristband QR codes as weak bearer tokens (2025–2026) + +*Flow:* Exhibition visitors received QR-coded wristbands; scanning `https://homeofcarlsberg.com/memories/` let the browser take the **printed wristband ID**, hex-encode it, and call a `cloudfunctions.net` backend to fetch stored media (photos/videos + names). There was **no session binding** or user authentication—**knowledge of the ID = authorization**. + +*Predictability:* Wristband IDs followed a short pattern such as `C-285-100` → ASCII hex `432d3238352d313030` (`43 2d 32 38 35 2d 31 30 30`). The space was estimated at ~26M combinations, trivial to exhaust online. + +*Exploitation workflow with Burp Intruder:* +1. **Payload generation:** Build candidate IDs (e.g., `[A-Z]-###-###`). Use a Burp Intruder **Pitchfork** or **Cluster Bomb** attack with positions for the letter and digits. Add a **payload processing rule → Add prefix/suffix → payload encoding: ASCII hex** so each request transmits the hex string expected by the backend. +2. **Response grep:** Mark Intruder **grep-match** for markers present only in valid responses (e.g., media URLs/JSON fields). Invalid IDs typically returned an empty array/404. +3. **Throughput measurement:** ~1,000,000 IDs were tested in ~2 hours from a laptop (~139 req/s). At that rate the full keyspace (~26M) would fall in ~52 hours. The sample run already exposed ~500 valid wristbands (videos + full names). +4. **Rate-limiting verification:** After the vendor claimed throttling, rerun the same Intruder config. Identical throughput/hit-rate proved the control was absent/ineffective; enumeration continued unhindered. + +Quick scriptable variant (client-side hex encoding): +```python +import requests + +def to_hex(s): + return ''.join(f"{ord(c):02x}" for c in s) + +for band_id in ["C-285-100", "T-544-492"]: + hex_id = to_hex(band_id) + r = requests.get("https://homeofcarlsberg.com/memories/api", params={"id": hex_id}) + if r.ok and "media" in r.text: + print(band_id, "->", r.json()) +``` + +> **Lesson:** Encoding (ASCII→hex/Base64) does **not** add entropy; short IDs become **bearer tokens** that are enumerable despite cosmetic encoding. Without per-user authorization + high-entropy secrets, media/PII can be bulk-harvested even if “rate limiting” is claimed. + --- ## 3. Impact of IDOR / BOLA * Horizontal escalation – read/update/delete **other users’** data. @@ -124,4 +152,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489) * [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) * [0xdf – HTB Era: predictable download IDs → backups and signing keys](https://0xdf.gitlab.io/2025/11/29/htb-era.html) +* [Carlsberg memories wristband IDOR – predictable QR IDs + Intruder brute force (2026)](https://www.pentestpartners.com/security-blog/carlsberg-probably-not-the-best-cybersecurity-in-the-world/) {{#include ../banners/hacktricks-training.md}}