IDOR Leading To Improper Access Control

IDOR Leading To Improper Access Control

Hello guys , I wanted to share with an easy finding that I found on a website to give the full picture this website Is about selling gifts like mugs and photobooks and etc…..

So first so to comes in mind while hunting for IDORS is how can I do an improper action like for example : If I’m on a program that has various privileges like a user and an admin and the admin the can create a group and invite users in it and only admin can approve or remove user so first thing comes in my mind how a user can do the admin action without his permission can be called “privilege escalation” or “Improper access control” in this bug I found an improper access control normal

So as I said it’s a gift shop application. so first thing comes to my mind is trying the shopping cart endpoint so i created 2 accounts one for the “Victim” and other for the “Attacked” I added to something on victims cart and i tried so switch the ID of the attacker by the ID of victim and see if i can something on his cart but i failed a 403 pop up so i tried to get a GET request to see if a can view the victims cart by switching the IDs in the endpoint and i got the same result then i found another functionality called favorites is by adding any item to my favorite so i tried the same methodology but on the my favorites i added an item the victims cart the i captured the request .

So as you can see visitors ID its the user id and the product code its the item id so i simply just swap the attacker ID by the victims ID and i added something on his favorites and it worked ….. so i tried to change the endpoint method and see if can DELETE items from the victims account without his permission and its also worked …. so as you can see its simple IDOR the can lead to an improper access control and if reached till this point ….. Thank you hope you learned something new.