No rate limit in comments with IDOR

Hello hackers,
in my last writeup: click here, it was about IDOR to make comments in user’s private posts, but unfortunately it was duplicated. so i didn’t gave up till i exploit this IDOR.

| Understanding target

This target is for sports and exercises, its a public program. It allows the user to create his own exercise and share it with friends. You can share the result of your exercise as a post. There are two types of exercises, routes and workout, and there are three types of post privacy: public post, private post and friend only post.
You can infer each type of privacy from its name, but for clarification
Public post: Any user can see it, interact with it, and see its comments
private post: No one can see it except you
friends only post: Only people on your friends list can see it.

| the bug

after my report duplicated I won’t lie to you, I was in bad mood, but I didn’t give up and thought why not try rate limit.
The idea here is that I do not see the victim’s post because it is private, so you cannot write an infinite number of comments because you simply cannot see it.
But with the help of the IDOR that I discovered, I can put a comment on the victim’s private post, so I sent the request to the intruder.

select the payload type: null payload,
payload option: continue indefinitely.

start attack

it works, the system doesn’t check rate limit, i went to the victim post to see if it’s actually works and Yup it works.

i reported it and it was accepted as a valid issue.

i hope you enjoy this trick, don’t forget to like :).

my linkedin: Youssif Mohamed