IDOR in support.mozilla.org through Code Review

I was trying to improve my static analysis code, specifically django apps, so i decided to hack a random project in github. And i found kitsune. https://github.com/mozilla/kitsune

Kitsune is made by mozilla and according to them, it is what powers the support.mozilla.org

So i downloaded it, and tried to hack it.

FINDING THE IDOR

While going through all url endpoints, i found an interesting endpoint url(r”^/(?P<question_id>\d+)/reply$”, views.reply, name=”questions.reply”)

It calls the function, views.reply. What makes this interesting is this part of the code

Here, you can see that if you provide a delete_images post parameter, it will delete any image with the id you provided in the delete_image parameter with no checks if the user deleting the image is actually the owner of the image. Compare this to the real image delete function

It has a proper authorization checks. Also, this functionality is not referenced anywhere in the front end since according to the mozilla team, the snippet is old.

So i reported it to mozilla bug bounty and asked their permission to actually try it in their staging server. And they agreed. After that, i was able to confirm the bug.

At the time of the report, support.mozilla.org is out of scope, but they still decided to reward me $1500 and added the domain in scope. You can read my whole report in https://bugzilla.mozilla.org/show_bug.cgi?id=1754966.

Thanks for reading, join the bounty hunter discord server: https://discord.gg/bugbounty

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

January Community & Development Updates

GSoC Week-3 at OpenMRS

Selenium Grid Setup with Docker

Grid Snapshot

Why companies achieve mediocre results by modifying Scrum

Are we really doing Scrum?

Giving Away developing, editing & designing tools to my Subscribers!

30 Days of Code — Day 1

10 Amazing Tools For Web Developers

How To Perfect Your Pull Requests

A smartphone homescreen with the text “Eat Sleep Code Repeat” displayed.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Roldan

Brandon Roldan

More from Medium

Attacking IBM MQ — SWIFT to Steal Money$$$

Remote Code Execution | A Story of Simple RCE on Jenkins Instance.

Found API Token on js file

Response Manipulation leads to Account Takeover