IDOR

[fhkzero]

I am making a reservation through the user [email protected] with ID value 522. After clicking the Submit button, I capture the request. As seen in the request, the id value of my newmail1 user is 522.

I make the id value 523 and send the request.

My reservation is being confirmed.

I don't see any reservations in the reservations of my current user (with an id value of 522), which is something I expected.

I log in to the account of the user [email protected] with an id of 523. As can be seen, there is a reservation here.

Here we were able to make a reservation from one user on behalf of another user. This will allow users to interfere with each other's reservation object reference and make reservations for each other. This is a big weakness in terms of business logic.

References:
https://cwe.mitre.org/data/definitions/639.html