IDOR(Insecure Direct Object Reference) Vulnerability to Delete Admin or any User Comment

The Hacktivists™
Apr 21 · 3 min read

Hello Members, In this article I’ll demonstrate you steps by steps how to find and exploit IDOR (Insecure Direct Object Reference) related vulnerability.

Before starting first we understand what is IDOR. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to direct an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks.

There can be many variables in the application such as “id”, “pid”, “uid”. Although these values are often seen as HTTP parameters, they can be found in headers and cookies. The attacker can access, edit or delete any of other users’ objects by changing the values. This vulnerability is called IDOR.

In this case, when I captured comment id then I realize application may be vulnerable to IDOR.

Vulnerable Application IDOR such as “id”, “pid”, “uid”

I create two different account one is admin & second is a local account.

This is Account A (Admin)

Log into Account A and Account B from different browser.

This is Account B (Local Account)

Create any task from Account A and put comment from both accounts.

Create a task from Account A

Open created task

now write a comment from Account A

Now open Account A (Admin) task in Account B (Local). Click on like to get Account A id from Account B.

Click on like to get Account A id

Now capture Account A comment to get account A id.

capture Account A id

Account B commented in Account A task.

Commented by Account B(Local)

Capture Account B delete request of comment from account B

Capture delete request of comment

Now replace Account B ID to Account A ID

Now you can see successfully deleted Account A (Admin) Comment from Account B(Local)

Successfully Deleted Comment of Account A(Admin) from Account B

Normally you don’t have any permission to delete Admin(Account A) comment but an attacker can able to delete the comment.

If you like our articles, please subscribe :)

Levelup0x Bug Hunting Training:

WhatsApp Channel:

Join Our Telegram Channel:

Duration: 45 Days+ Training | #Fee : 5000 inr | 75 usd

To know more : #Call / #WhatsApp : +91 96809 81337

Download All The Hacktivists™ InfoSec Training Modules™_Training_Program

The Hacktivists™

Written by

Contact us for Information Security Services & Training