Original Post: IDOR in Multinational Retail Company Leading to Unauthorized Access and Modifications | by Kamal | Jul, 2024
This write-up discusses a critical vulnerability in a multinational retail company’s web application, allowing users to exploit an Insecure Direct Object Reference (IDOR) to edit and delete other users’ lists. This type of vulnerability occurs due to improper access controls in the “My Lists” feature of the application. Attackers can manipulate list IDs in HTTP requests to access, edit, and delete other users’ lists, which can be done using tools like Burp Suite.
Example Exploitation:
- Changing the list ID in the URL or HTTP request can provide unauthorized access to another user’s list with the ability to edit, delete, or manipulate the data.
Steps to Reproduce:
- Create Lists with Different Users:
- Log into two separate browsers as different users and create new lists.
- Edit and Delete Lists Using Burp Suite:
- Capture HTTP requests and replace list IDs with those of another user to modify or delete their lists.
Recommended Fixes:
- Implement Access Control Checks:
- Ensure that authorization checks verify if the current user has the necessary permissions.
- Use CSRF Tokens:
- Protect data-modifying requests with CSRF tokens to prevent cross-site request forgery attacks.
- Use Salesforce Commerce Cloud’s Security Features:
- Utilize built-in security features and best practices of the platform to enhance security.
Code samples provided demonstrate how to enforce these checks and secure the application against such vulnerabilities.
Go here to read the Original Post