← projects

SBid POC

disclosure

Found a real vulnerability in a live production system. Documented it, reported it to the maintainers through responsible disclosure, then published the proof of concept. The system has since been patched, as far as I know.

vulnerability researchPoC
GitHub ↗

PoC for a chain of IDOR vulnerabilities found in sBID, a Java-based educational platform, that could be exploited to achieve full Account Takeover (ATO). Reported, responsibly disclosed, and patched.

Vulnerability chain

Four weaknesses chained together to take over any account without interacting with the victim’s session:

#TypeEndpointImpact
1IDOR/jsp/detall/alumne.jsp?aid=Full PII of any user
2IDOR/modules/ACLUsername enumeration
3IDOR/modules/MissatgesRead any user’s messages
4Insecure password reset/modules/LoginATO via chained IDORs

Why it works

The reset flow issues a token but never validates that the requester owns the account. Combined with the ability to read any user’s messages via a sequential numeric ID, an attacker can request a reset for any account, intercept the token from the victim’s inbox, and set a new password — all without interacting with the victim’s session.

Usage

uv sync
cp .env.example .env
# Fill in your credentials

# Enumerate user info
uv run src/main.py --type user-info --id 12345

# Get reset link only — no password change
uv run src/main.py --type ato-link --id 12345 --msg-id 1000 -v

For educational purposes only. The vulnerabilities documented here have been reported and patched. Do not use against systems you don’t own or have explicit permission to test.