search

divanov11 / Django-To-Do-list-with-user-authentication

To Do list app with User Registration, Login, Search and full Create Read Update and DELETE functionality.
217 stars 116 forks source link

IDOR in delete functionality #5

Closed IamLakhan closed 3 years ago

IamLakhan commented 3 years ago

Hey I know this is a sample project but I can't help myself. I found out that this web application has a IDOR vulnerability. IDOR refers to indirect object reference, inshort any user can manipulate data of other users by just changing the id of the task. For example: if you go on to create 2 users and each have 1 task, the second user can delete the task of the first user just by referencing the task id in the delete request. I think the restrictions should be in place for this to avoid it.

I am attaching a poc which shows how to delete another user's list item

https://user-images.githubusercontent.com/27778214/117136190-aa2a6600-adc5-11eb-9325-b529e0ac3d1b.mp4

EteimZ commented 3 years ago

Wow this is really educative.

divanov11 commented 3 years ago

Thank you! Just merged :)