You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
This vulnerability/bug is also known as Insecure Direct Object References (IDOR) Bug. This bug allows unauthorized users to view anyone's Private Messages by obtaining the target user's receiverId/userId
To Reproduce
Steps to reproduce the behavior:
the endoint /api/graphql is the one vulnerable to this attack
My POST request data is as follows:
{"query":"mutation sendMessage($input: SendMessageInput!) {\n sendMessage(input: $input) {\n id\n receiverId\n content\n }\n}\n","variables":{"input":{"receiverUsername":"TARGET_USERNAME","content":"CONTENT_HERE","receiverMsg":"Send me an anonymous message!"}},"operationName":"sendMessage"}
(Explanation to the request above) I just added receiverId variable to the original graphQL request.
The endpoint will unexpectedly respond with the private receiverId value like below:
The endpoint will respond with the private messages corresponding to the userId you obtained
{"data":{"messages":[{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","content":"vvvvvvvvvv","isOpened":false,"receiverMsg":"Send me an anonymous message!"},{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","content":"vvvvvvvvvv","isOpened":true,"receiverMsg":"Send me an anonymous message!"}]}}
Expected behavior
This endpoint should return an error and not allow anyone to just grab other's private userId AND/OR the endpoint should not allow the use of any valid userId to non-authorized users
The text was updated successfully, but these errors were encountered:
Describe the bug
This vulnerability/bug is also known as Insecure Direct Object References (IDOR) Bug. This bug allows unauthorized users to view anyone's Private Messages by obtaining the target user's
receiverId
/userId
To Reproduce
Steps to reproduce the behavior:
/api/graphql
is the one vulnerable to this attack/api/graphql
Expected behavior
This endpoint should return an error and not allow anyone to just grab other's private userId AND/OR the endpoint should not allow the use of any valid userId to non-authorized users
The text was updated successfully, but these errors were encountered: