Interesting case of Broken Access Control

Hi Guys , my name is Manav Sharma . I also go by the name Recmas . Well let’s start the writeup then . So i was hacking on a public program a few weeks back and i found an interesting case of Broken Access control which was similar to idor ( strange i know right , will clarify later in write-up ) . Since the bug got marked duplicate and is still under triage so i have to use Target.com for refrence . Let’s start :)

I was checking for some functionality the traditional way , mapping website while burp running in background . I saw that the website allows you to share images , videos etc . There is also a comment functionality . I was checking the settings that they allowed an user on a upload . I saw that a user can turn off the comment functionality on their posts . I commented on a post and was checking the request and found out that the only paramter playing role there was the id of the post , which mean i can comment on any post by changing the id to that post id , now you would say where can i get the id ? Well it was relatively easy as the id was clearly visible in url of the post . Suddenly i knew what i had to check , idk why i guess just instinct lol.. .

HERE IS THE SCENARIO :

So i created two accounts , 1 victim and 1 attacker . Now victim uploads a picture and turns off the comment functionality . Now i went to attacker accounts and commented on some random post , intercepted the response and changed the id to my vicitm’s . In repeater i got 200 ok response .

Well i couldn’t verify wether the comment was made or not . So i went onto the victim’s account and turned on comment functionality and what do we see there ? YES , the comment was there and it was there during the timeline it was posted . It was an case of broken access control as their restrictions were not implemented properly . But why ? I mean they would have never thought of such a scenario , so who was the main culprit here ? YES it was the parameter that was taking the values aka the id parameter . It was using the id parameter for refrence just like in idor and was not authenticating in the backend wether there was any restrections for the following action .

Well to my luck lol , it was marked duplicate as somebody reported same issue 9 hours before i did . Still it was an interesting one , so i thought i should share . Hope you guys like it and learnt something new .

Cheers :)