IDOR – Execute JavaScript into anyone account

Hey guys,

New blog post about critical IDOR issue which I found in which allows attackers to change any user information and delete any saved bulk search remotely through one’s own account by just changing the Token id in Put and DELETE Request.

The request for change and save search info looks like:

It was observed that by simply changing the value of <token=> in the above URL, it is possible to change user info and delete search and save for the user associated with that particular Token.

Original Request:

Edited Request:


So I found stored XSS in saved search:

An attacker can plot IDOR attack to change user saved search with a XSS payload and when user will access his account XSS will pop-up.

Thanks for reading!  Happy Hunting 🙂





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.