Hy Team Have Good Day
Critical IDOR vulnerability in /api/get_user_loan allows accessing any user's loan data by simply changing the username parameter to victim's email.
No authorization check that authenticated user matches requested username parameter.
if (authenticated_user !== request.username) {
return 403;
}
Vulnerable Request:
POST /api/get_user_loan HTTP/2
Host: app.coindepo.com
[email protected] ← Any user's email
amount=54654
coin_id=2
Test Results:
[email protected][email protected]