.png)
2 months ago
45 BOOK THIS SPACE FOR AD
ARTICLE ADA vulnerability has been discovered on the targeted website that allows users to delete documents without permission by exploiting the IDOR (Insecure Direct Object Reference) vulnerability. This vulnerability occurs because the website does not properly verify user permissions when processing document deletion requests. Additionally, the risk is compounded by the failure to verify the important security header “Authorization” on the server side.
Detailed Description:
This vulnerability allows an attacker to delete documents belonging to other users by exploiting a weakness in user authentication. The website relies on two parameters stored in user cookies to identify the document and authorize the deletion, but does not properly verify that the user attempting to delete the document has the appropriate permissions.
Relying on these cookie parameters poses a security risk, as they can be exploited if an attacker obtains these cookies (via attacks such as XSS or social engineering). Even though direct access to them is currently not possible, this vulnerability poses a significant risk.
I was also able to delete the Authorization header successfully and the server did not object to this.
The two parameters through which I was able to delete other people’s documents are
grauth
csrf-token
They were also fixed values that are never changed for the user
This is a greater risk because if I get them, I can delete any file for the victim
After I get the ID of his file
Bengali (Bangladesh) · 
English (United States) ·