IDOR lead to Restriction Bypass!!

Hello, I was hunting for bugs in a SAAS application which has many features and Role based access controls. We can Create/Delete/Edit customers, generate invoices, manage subscriptions and has many other functionalities.

Assume that three customer profiles — Customer A, Customer B, and Customer C — have been created within our dashboard. Each customer is assigned a unique identifier:

Customer A: ID 101
Customer B: ID 102
Customer C: ID 103

Currently, both Customer A and Customer B hold active subscriptions. A subscription refers to a service provided by us to which the customer has opted in. For example, similar to how a Netflix subscription grants access to its video content, our service provides certain offerings to subscribed customers.

Customer A and B have an active subscription and they are invoiced monthly. Since customer A and B have an active subscription, their profiles can’t be deleted from our dashboard. There is a restriction placed which says “Customer profiles with active subscription can’t be Deleted”.

Customer C doesn’t have any active subscription and so this profile can be deleted. Intercepting the delete request of customer C in burp suite and changing the id value to Customer A ‘s id successfully deletes the profile of Customer A.

So simply, We are able to bypass a restriction placed to delete a customer profile via IDOR. That's it guys!!

In your scenario, the application allows us to delete customer profiles based on their IDs. Although the system is supposed to prevent the deletion of profiles with active subscriptions (Customer A), I was able to manipulate the customer ID in the request and delete Customer A’s profile by changing the ID from Customer C.

Thanks for reading

Contact :

LinkedIn : https://www.linkedin.com/in/mohankumar007/