Hola fellow researchers,
Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
I was testing a NDA (Non-disclosure Agreement) program and I noticed that the Web Application had an option to delete the user’s account.
I intercepted the request using Burp to test for IDOR as I love finding IDORs. But I couldn’t find any numeric ID or anything identical to that. But there was a User ID parameter which contained the User Name of the user. I changed the User ID with my 2nd account’s User Name, but it didn’t work. Then I noticed that there wasn’t any CSRF token. So, I generated a CSRF PoC using Burp and opened the HTML document using my other account. But it didn’t work.
Then I remembered that there was that User ID Parameter. I changed the User ID with my 2nd account’s User Name again. I opened the document with my 2nd account and my account was deleted.
I quickly reported the bug and the company fixed the bug within 24hours.
Hope you guys enjoyed this one. PM me at Facebook, LinkedIn or Twitter anytime if you have any questions.