IDOR Vulnerability: Deleting Website Content Without Admin Access

Hello amazing hackers, this is my first write-up. In this article, I will explain how I was able to delete website content without having admin access using IDOR.

Linkedin

Introduction:

Insecure Direct Object Reference (IDOR) is a vulnerability that arises when there are no access control checks to verify if a request to interact with a resource is valid. IDOR vulnerabilities within an application can be exploited by attackers to manipulate, destroy, or disclose data by bypassing access controls and escalating their privileges. In this write-up, I will explain how we were able to delete website content without having admin access using the IDOR vulnerability.

Given the type of IDOR within an application, an attacker could perform the following actions:

• Manipulate internal application objects and elevate their privileges, alter data, or gain access to and manipulate the application’s APIs
• Gain direct access to files and manipulate the file system, such as uploading, downloading, adding, or deleting data, including other user’s data.

Assuming that the program’s website is example.com and it was listed on the Bugcrowd platform as the target. I created an account on example.com and logged in. There was a functionality for uploading and deleting profile images. I tested this functionality to analyze the request and attempted to delete the profile image of other users, but was unsuccessful.

Next, I uploaded a profile image and opened it in a new tab to view the URL. I also opened a website background image in a new tab to analyze the difference between these two URLs (website image + uploaded profile image). I discovered that both URLs were the same.

Then I performed the crucial step and it worked. Here are the steps to reproduce the website vulnerability using Burp Suite:

1. Upload a profile image to the website.
2. Attempt to delete the profile image and capture the response using Burp Suite.
3. Send the captured response to the repeater in Burp Suite.
4. Analyze the request and look for the profile image URL.
5. Replace the profile image URL with the website’s background image URL in the request.
6. Forward the modified request and wait for a response.
7. If the response is 200 OK, the website’s background images can now be deleted without requiring admin access.
8. It’s important to note that this vulnerability can only be performed by website admins. Therefore, it is crucial to report it to the website owner to prevent unauthorized access.

Conclusion: In conclusion, I were able to exploit an IDOR vulnerability to delete website content without admin access. It is important for website owners to implement access control checks to prevent such vulnerabilities. As ethical hackers, it is our responsibility to report such vulnerabilities to prevent unauthorized access and protect user data.

Connect with me:

Twitter: https://twitter.com/root__professor

Thank you for reading our write-up, and we hope you found it informative.

References: https://portswigger.net/web-security/access-control/idor