Restriction Bypass via IDOR— 100$ Bounty

Hello, I was hunting for bugs in a SAAS application which has many features and Role based access controls. We can Create/Delete/Edit customers, generate invoices, manage subscriptions and has many other functionalities.

Assume that three customer profiles — Customer A, Customer B, and Customer C — have been created within our dashboard. Each customer is assigned a unique identifier:

Customer A: ID 101
Customer B: ID 102
Customer C: ID 103

Currently, both Customer A and Customer B hold active subscriptions. A subscription refers to a service provided by us to which the customer has opted in. For example, similar to how a Netflix subscription grants access to its video content, our service provides certain offerings to subscribed customers.

Customer A and B have an active subscription and they are invoiced monthly. Since customer A and B have an active subscription, their profiles can’t be deleted from our dashboard. There is a restriction placed which says “Customer profiles with active subscription can’t be Deleted”.

Customer C doesn’t have any active subscription and so this profile can be deleted. Intercepting the delete request of customer C in burp suite and changing the id value to Customer A ‘s id successfully deletes the profile of Customer A.

So simply, I was able to bypass a restriction placed to delete a customer profile via IDOR. That’s it guys!!

If you found the write-up insightful, feel free to share it !

Thanks for reading

Contact :

LinkedIn : https://www.linkedin.com/in/mohankumar007/