IDOR in through Code Review

Brandon Roldan
2 min readMar 2, 2022

I was trying to improve my static analysis code, specifically django apps, so i decided to hack a random project in github. And i found kitsune.

Kitsune is made by mozilla and according to them, it is what powers the

So i downloaded it, and tried to hack it.


While going through all url endpoints, i found an interesting endpoint url(r”^/(?P<question_id>\d+)/reply$”, views.reply, name=”questions.reply”)

It calls the function, views.reply. What makes this interesting is this part of the code

Here, you can see that if you provide a delete_images post parameter, it will delete any image with the id you provided in the delete_image parameter with no checks if the user deleting the image is actually the owner of the image. Compare this to the real image delete function

It has a proper authorization checks. Also, this functionality is not referenced anywhere in the front end since according to the mozilla team, the snippet is old.

So i reported it to mozilla bug bounty and asked their permission to actually try it in their staging server. And they agreed. After that, i was able to confirm the bug.

At the time of the report, is out of scope, but they still decided to reward me $1500 and added the domain in scope. You can read my whole report in

Thanks for reading, join the bounty hunter discord server: