SHODAN - INSECURE DESIGN BROKEN ACCESS CONTROL

  • Thread starter RuntimeRogue
  • Start date
  • Tagged users None
RuntimeRogue

RuntimeRogue

Premium Member
Joined
October 15, 2025
Messages
61
Reaction score
506
Points
53
  • Thread Author
  • #1
Affected Membership Packages: Academic Users, Small Business API Subscription, and up.
Filter query: vuln (Restricted), tag (Restricted)

0*MBdGJGZzraruVQjx

0*wJ1cZEdzhnB-uPOO

0*9bLtdSSFBYm-KNxw

1*Iw4X1Xe0eoppn2Zk4r_5sA.png



How It Works: The URL parameters can be tampered with to bypass access controls and retrieve information intended for higher-tier members. For example, using any restricted params in the URL and allows grouping the result set by IP addresses without the membership normally required for this action.

IDOR Links:
You can use any Shodan query filters without the need of registered Shodan account and also use the enterprise query filters such as ‘vuln’ or ‘tag’.

Code:
 - https://www.shodan.io/search/facet?query=vuln%3Acve-2026-34473&facet=ip
- https://www.shodan.io/search/facet?query=tag:honeypot&facet=ip
- https://www.shodan.io/search/facet?query=tag:compromised&facet=ip

(You need to change the CVE you want to search in the URL and you can also to choose how you want to group the list with facet parameter. in this example I used to group them for IP’s.

Proof of Concept (PoC):

0*oX43rcXdxjo2GeU4

0*0egrQK-NTQbr0N4s

1*i4D0cMd9otC-DONnlTcFBQ.png


Credits: Sahar Shlichove.
Original post: https://medium.com/@mixbanana/shodan-idor-827ddac889b7
 
  • Like
Reactions: GigiBuffon
  • Tags
    access access control control design insecure design shodan
  • Top