IDOR(Insecure Direct Object Reference) Vulnerability to Delete Admin or any User Comment
Hello Members, In this article I’ll demonstrate you steps by steps how to find and exploit IDOR (Insecure Direct Object Reference) related vulnerability.
Before starting first we understand what is IDOR. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to direct an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks.
There can be many variables in the application such as “id”, “pid”, “uid”. Although these values are often seen as HTTP parameters, they can be found in headers and cookies. The attacker can access, edit or delete any of other users’ objects by changing the values. This vulnerability is called IDOR.
In this case, when I captured comment id then I realize application may be vulnerable to IDOR.
I create two different account one is admin & second is a local account.
Log into Account A and Account B from different browser.
Create any task from Account A and put comment from both accounts.
Open created task
now write a comment from Account A
Now open Account A (Admin) task in Account B (Local). Click on like to get Account A id from Account B.
Now capture Account A comment to get account A id.
Account B commented in Account A task.
Capture Account B delete request of comment from account B
Now replace Account B ID to Account A ID
Now you can see successfully deleted Account A (Admin) Comment from Account B(Local)
Normally you don’t have any permission to delete Admin(Account A) comment but an attacker can able to delete the comment.
If you like our articles, please subscribe :)
Levelup0x Bug Hunting Training: https://lnkd.in/f53FTvA
WhatsApp Channel: https://lnkd.in/fyvFyx8
Join Our Telegram Channel: https://t.me/thehacktivists
Duration: 45 Days+ Training | #Fee : 5000 inr | 75 usd
To know more : #Call / #WhatsApp : +91 96809 81337
Download All The Hacktivists™ InfoSec Training Modules