Page cover

🟩Is It Just About Replacing IDs? (I Guess Yes)

2 simple $$$ IDORs I’ve found on amazing-school.com

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3.

So, let’s get to it. This write-up is about two good IDORs I found on my latest favorite target on Bugcrowd. Also, check out this other write-up (about a privilege escalation in the same program).


The first one was super easy. I found that the child role content is private by default, and no one can access it (likely to protect children or something). So, using the same basic steps, I started testing actions on public content and applied them to the private/protected content.

After some time, I focused on the report function. As you might guess, you can report content to admins—but can you do this for private content? Absolutely!

Just replace the modelId with a private (set) ID, get a 200 OK response, report it, claim it, and DONE.


The second one had a slightly cooler idea. While testing with the same steps, I found that you can share a (set or folder) via email. The request looked like this:

Sure, I tried creating a private set (using the child account), then sharing it via email (using the attacker cookies)—but got the ugly 403 error. So, what about folders?

Okay, but child accounts can’t create folders, and there’s no such thing as a private folder on the website. Hmmmm? How can we create a private folder?

Okay, what if you create a folder and add private sets to it? Can we call that a private folder? Sure! So, I created a folder, made a private set, and added that set to the folder. If you try to access this folder as an attacker, you can’t.

Now we’ve got our private folder—let’s try sharing it via email.

Now, as an attacker, you can just type the victim's private folder ID, send the request, and it works!

The attacker can disclose the private folder name and the sets inside it via email.

And just like that, the second easy $$$ is claimed xD


Remember, friend: always try to understand how the app works. That way, you can find lovely, easy-peasy logic flaws—maybe even better than these <3


That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>

Last updated