Hacked & Secured: Pentest Exploits & Mitigations

Ep. 2 – Chaining IDORs, CSRF Account Takeovers & Token Manipulation for Privilege Escalation

Amin Malekpour Season 1 Episode 2

Share episode

What if you could take over an account—not by cracking a password, but by chaining two overlooked vulnerabilities? What if a single CSRF exploit let attackers reset security questions and hijack accounts? And what if manipulating an authorization token could escalate privileges?

In this episode of Hacked & Secured: Pentest Exploits & Mitigations, we break down three real-world pentest findings that prove creative exploitation turns small flaws into critical security risks:

  • Chaining IDORs for account takeover – Exploiting weak access controls.
  • CSRF bypass to reset security questions – Turning one click into total compromise.
  • Privilege escalation via token manipulation – How a simple change led to admin access.

Learn how these vulnerabilities were discovered, exploited, and mitigated.

Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!

🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us podcast@quailu.com.au
🔗 Podcast Website → Website Link

INTRO

What if you could take over someone’s account, not by guessing their password, but by chaining two overlooked vulnerabilities?

What if a single CSRF exploit let an attacker reset security questions, paving the way for full account takeover?

And what if manipulating an authorization token could escalate privileges, turning a regular user into an admin?

Today, we’re breaking down three high-impact security flaws—each proving that creative exploitation can turn minor issues into critical breaches.

I’m Amin Malekpour, and you are listening to Hacked & Secured: Pentest Exploits & Mitigations.

FINDING #1 - Account Takeover by Chaining Two IDORs

Our first finding comes from a brilliant user named r29k, who uncovered an Account Takeover on the Bugcrowd platform and shared a detailed write-up on his blog, r29k.com. This high-rated issue is all about creatively chaining two Insecure Direct Object References—known as IDORs. Let’s unpack what happened, why it is important, and the lessons we can learn from it.

First, what is an IDOR? For those unfamiliar with the term, it’s a vulnerability where attackers manipulate identifiers in requests to access data or actions they’re not supposed to. Imagine changing a package tracking number in a URL to view someone else’s delivery details—except here, it’s happening in a sensitive application.

In this case, the target was a helpdesk platform with three roles: Admin, Manager, and User. Admins had full control—they could create departments, manage users, and reset passwords. But while each role was supposed to have clear limits, the vulnerabilities told a different story.

By chaining two IDOR vulnerabilities, the attacker could reset the password of any manager or user in the system—even from another organisation—accounts they were never supposed to access. This gave them complete control over those accounts. And here’s the kicker: they didn’t need any user interaction. No clicks, no approvals, nothing. It’s the kind of scenario attackers dream of, but for the organisation, an absolute nightmare. Think data breaches, misuse of managerial privileges, and major operational chaos.

Let’s break down the two IDORs and how r29k pieced them together:

  • The First IDOR allowed Adding Managers to Departments:
    Admins could create departments and assign managers to them. While testing this, r29k noticed that the manager’s ID was included in the request. By swapping the manager’s ID with one from another organisation, a malicious admin could add unauthorised managers to their department. At first, this might not seem risky. In fact, it could even put the attacker at risk since the added manager might gain access to sensitive data in the attacker’s department. But this setup was key to enabling the second exploit.
  • The Second IDOR allowed Resetting Passwords:
    Admins could reset user passwords within their department using a password reset feature—but only for the user role, not for other admins or managers. The request included the user’s ID to identify which account’s password needed resetting. Here’s where things went wrong: by replacing the user ID in this request with one from their department, the malicious admin could reset the password for any account in their department, including managers or even other admins. Yep, any account.

Here’s the twist: the second IDOR only worked on accounts already in the attacker’s department. This made the first IDOR crucial if the attacker wanted to target accounts from another organisation. By first adding the target account to their department using the first IDOR, they could then exploit the second IDOR to reset its password and take it over.

By chaining these two vulnerabilities, r29k turned what seemed like moderate risks into a powerful account takeover exploit. It’s a brilliant showcase of creativity and persistence, reminding us that pentesting isn’t just about finding vulnerabilities, but about how you connect the dots and use them effectively.

What Can We Take Away From This?

For Developers:

  • Never assume that a small or isolated vulnerability is harmless. Attackers often find creative ways to combine issues for maximum impact.
  • Enforce role-based access control (RBAC) to ensure users can only manage resources they own or are explicitly authorised to handle.
  • Validate permissions on the server side at every step to confirm a user is allowed to perform the requested action.

For Pentesters:

  • Always think in chains. One vulnerability might seem minor, but when combined with others, it can lead to major exploits.
  • Test for IDORs systematically by intercepting and modifying request parameters. Look for hidden dependencies, just as r29k did.
  • Patience and persistence are key. Sometimes, critical vulnerabilities only emerge after thorough exploration and creative thinking.

That was the story of how r29k transformed two seemingly minor IDORs into a critical Account Takeover.

Now, let’s dive into our next story and uncover another interesting pentest finding!

FINDING #2 - Account Takeover Through CSRF Vulnerability in Security Questions

Let’s jump into another exciting vulnerability story, this one from the HackerOne platform. It was uncovered by prakhar0X01 and flagged as a high-rated Account Takeover. It’s a perfect example of how a seemingly small flaw—like a CSRF vulnerability—can escalate into full account compromise. Let’s break it down!

First, what is a CSRF vulnerability? CSRF, or Cross-Site Request Forgery, happens when an attacker tricks a user into performing an unintended action on a website without their knowledge. Think of it like someone forging your signature to authorise something you never agreed to.

In this case, the application allowed users to update their security questions and answers, which were also used in the account recovery process. But here’s the kicker: while the application had CSRF tokens, the server didn’t actually validate them when processing these updates. That oversight left a huge door open for attackers to sneak in and make changes.

And it gets worse. Those same security questions were used in the password reset process. This meant users could reset their passwords by answering the security questions they had set. By exploiting the CSRF flaw, an attacker could set their own answers to the victim’s security questions and then use the password reset process to reset the victim’s password, taking over their account entirely.

Here’s the wild part: the attacker could do all of this with just one click from the victim. While the victim is using the application, one click on a malicious link or button is all it takes for the CSRF payload to execute and update the security questions. It’s as simple—and as dangerous—as that.

Here’s how the exploit unfolded step by step:

  • The attacker discovered the /member/updatesecurityquestions endpoint, which allowed users to update their security questions and answers. The critical flaw was that the server didn’t validate the CSRF tokens for this endpoint.
  • Using Burp Suite, the attacker intercepted the request to update their own security questions and crafted a malicious CSRF payload.
  • They hosted this exploit on their server and sent the link to the victim. Once the victim clicked it, their security questions and answers were silently overwritten with the attacker’s chosen answers.
  • At this point, the attacker knew all the security questions and answers for the victim’s account. Armed with this knowledge, they went to the password reset functionality, entered the new answers, and successfully reset the victim’s password.
  • When the password reset completed, the attacker gained full access to the victim’s account, effectively locking them out.

Step by step, this attack shows how a simple oversight—like not validating CSRF tokens on the server side—can escalate into a huge problem.

What Can We Take Away From This for Our Day-to-Day Jobs?

For Developers:

  • Layered security is essential. No single mechanism should be your only line of defence for sensitive functionality.
  • Ensure that all sensitive actions require valid and random CSRF tokens, and validate the token on the server side for every single request.
  • Implement MFA (Multi-Factor Authentication) as an extra layer of protection for features like account recovery and password resets.

For Pentesters:

  • This is a great example of creative exploitation. It’s not just about finding a CSRF vulnerability—it’s about understanding how it interacts with other features like password reset.
  • Always test for the ripple effects of a vulnerability and think about the entire attack chain, just like prakhar0X01 did.
  • Simple oversights can lead to devastating outcomes, so keep testing, exploring, and connecting the dots.

That was the story of how a single overlooked CSRF token validation flaw opened the door to a 1-click Account Takeover. It’s a classic reminder that even the smallest oversights in security can snowball into major consequences.

Now, let’s move on to our next pentest finding—a case of privilege escalation through authorization token manipulation!

FINDING #3 - Privilege Escalation Through Authorization Token Manipulation

To wrap up this episode, let me share a story from my own experience—a high-rated vulnerability involving privilege escalation through authorization token manipulation. It’s a great reminder that even the simplest techniques can uncover critical flaws when tested thoroughly.

Privilege escalation happens when an attacker gains access to functionalities or data they’re not supposed to have. There are two main types:

  • Vertical privilege escalation: Moving up the chain, like from a user to an admin.
  • Horizontal privilege escalation: Staying at the same level but accessing another user’s data or functionality which you are not authorised to access.

This finding involved both types of privilege escalation, all through authorization token manipulation. Here’s how it happened.

I was assessing a multi-user web application with regular users and administrators. Everything seemed secure at first glance: robust login flows, role-based access controls, and no obvious issues in the UI.

The application relied heavily on tokens for authorisation and access control. Experience told me this could be a weak spot if the server didn’t validate those tokens properly. Here’s how I exploited this vulnerability in two cases, demonstrating both horizontal and vertical privilege escalation.

Using two regular user accounts, I started by observing their specific permissions.

  • User A could manage customer profiles for a few branches and view their orders, while User B had access to a different set of branches and customer data. These accounts were designed to remain isolated, ensuring one user couldn’t access another’s data.

So, what did I do? I captured a request from User A used to view customer data, sent it to Burp Repeater, and replaced User A’s authorization token with User B’s authorization token, then resubmitted the request.
The server granted access to User B’s data while I was in User A’s session—proving it didn’t validate whether the authorization token matched the correct user.
This is a textbook example of horizontal privilege escalation, where you gain access to another user’s data or actions at the same privilege level.

Next, I focused on vertical privilege escalation. While testing the admin panel, I had captured some API requests for admin-only functionalities in Burp Repeater.
These included actions like managing user accounts and accessing sensitive admin functions that should be strictly off-limits to low-privileged users.
Curious enough, I replaced the administrator’s authorization token in the captured requests with a low-privileged user’s token and resubmitted them. To my surprise, some of the admin-only functionalities worked even with the low-privileged user’s token. The server didn’t properly validate whether the token belonged to a user with administrative privileges—it simply allowed access based on the request structure.
This is a perfect example of vertical privilege escalation, where a low-privileged user gains access to high-privileged functions. It’s also a powerful reminder for pentesters: never assume access controls are implemented correctly and always test them thoroughly. Not all admin functionalities were accessible, so persistence was key. Testing across various features helped identify the vulnerable endpoints.

What Lessons Can Be Learned here?

For Developers:

  • Always validate user roles and permissions on the server side.
  • Never trust client-side data, including authorization tokens. Enforce strict server-side validation to ensure tokens are tied to the correct user and role.

For Pentesters:

  • Identify sensitive workflows tied to roles and permissions, and always test tokens or other session identifiers for both vertical and horizontal privilege escalation.
  • Use tools like Burp Suite to intercept and modify requests. Small steps, like swapping tokens, can uncover major vulnerabilities.
  • Persistence is key—don’t give up if something doesn’t work on the first try. Sometimes, the biggest vulnerabilities are hidden behind initial failures.

OUTRO

Before we wrap up, let’s discuss something fundamental to ethical hacking: responsible disclosure.

The findings we have discussed today highlight the creativity and technical skill of top researchers. But what truly sets great ethical hackers apart is their commitment to making the internet safer. Whether reporting through bug bounty platforms or directly to organisations, the goal is always to fix the problem, not exploit it.

Have you uncovered a creative vulnerability or an interesting exploit? Share it with us using the Google Form linked in the episode description. If we feature your submission, you will get full credit and we will share your story with the community. Your work could inspire pentesters around the world and help create a safer digital space.

If you enjoyed this episode or found it valuable, please leave us a review on your favourite podcast platform. Your feedback helps us improve and bring you even better content.

Don’t forget to follow us on social media for updates, insights, and to join the conversation. We’d love to hear your thoughts—so drop us a message or leave a comment!

That’s it for today! We explored chaining IDORs into critical vulnerabilities, CSRF exploits leading to account takeovers, and privilege escalation through authorization token manipulation—each offering valuable lessons in creativity and persistence.

Remember, finding vulnerabilities is just the start—it’s about learning, growing, and contributing to a safer internet. Stay curious, hack ethically, and keep pushing the boundaries. The internet gets safer because of dedicated people like you. See you in the next episode!


People on this episode

Head Shot

Amin Malekpour

Host