Carlsberg… probably not the best cybersecurity in the world

src/pentesting-web/idor.md

@@ -94,6 +94,34 @@ curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
 
 Combined with **default admin credentials** (`123456:123456`) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach.
 
+### Case Study – Wristband QR codes as weak bearer tokens (2025–2026)
+
+*Flow:* Exhibition visitors received QR-coded wristbands; scanning `https://homeofcarlsberg.com/memories/` let the browser take the **printed wristband ID**, hex-encode it, and call a `cloudfunctions.net` backend to fetch stored media (photos/videos + names). There was **no session binding** or user authentication—**knowledge of the ID = authorization**.
+
+*Predictability:* Wristband IDs followed a short pattern such as `C-285-100` → ASCII hex `432d3238352d313030` (`43 2d 32 38 35 2d 31 30 30`). The space was estimated at ~26M combinations, trivial to exhaust online.
+
+*Exploitation workflow with Burp Intruder:*
+1. **Payload generation:** Build candidate IDs (e.g., `[A-Z]-###-###`). Use a Burp Intruder **Pitchfork** or **Cluster Bomb** attack with positions for the letter and digits. Add a **payload processing rule → Add prefix/suffix → payload encoding: ASCII hex** so each request transmits the hex string expected by the backend.
+2. **Response grep:** Mark Intruder **grep-match** for markers present only in valid responses (e.g., media URLs/JSON fields). Invalid IDs typically returned an empty array/404.
+3. **Throughput measurement:** ~1,000,000 IDs were tested in ~2 hours from a laptop (~139 req/s). At that rate the full keyspace (~26M) would fall in ~52 hours. The sample run already exposed ~500 valid wristbands (videos + full names).
+4. **Rate-limiting verification:** After the vendor claimed throttling, rerun the same Intruder config. Identical throughput/hit-rate proved the control was absent/ineffective; enumeration continued unhindered.
+
+Quick scriptable variant (client-side hex encoding):
+```python
+import requests
+
+def to_hex(s):
+    return ''.join(f"{ord(c):02x}" for c in s)
+
+for band_id in ["C-285-100", "T-544-492"]:
+    hex_id = to_hex(band_id)
+    r = requests.get("https://homeofcarlsberg.com/memories/api", params={"id": hex_id})
+    if r.ok and "media" in r.text:
+        print(band_id, "->", r.json())
+```
+
+> **Lesson:** Encoding (ASCII→hex/Base64) does **not** add entropy; short IDs become **bearer tokens** that are enumerable despite cosmetic encoding. Without per-user authorization + high-entropy secrets, media/PII can be bulk-harvested even if “rate limiting” is claimed.
+
 ---
 ## 3. Impact of IDOR / BOLA
 * Horizontal escalation – read/update/delete **other users’** data.
@@ -124,4 +152,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
 * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
 * [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 * [0xdf – HTB Era: predictable download IDs → backups and signing keys](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
+* [Carlsberg memories wristband IDOR – predictable QR IDs + Intruder brute force (2026)](https://www.pentestpartners.com/security-blog/carlsberg-probably-not-the-best-cybersecurity-in-the-world/)
 {{#include ../banners/hacktricks-training.md}}