IDOR in support.mozilla.org through Code Review

I was trying to improve my static analysis code, specifically django apps, so i decided to hack a random project in github. And i found kitsune. https://github.com/mozilla/kitsune

Kitsune is made by mozilla and according to them, it is what powers the support.mozilla.org

So i downloaded it, and tried to hack it.

FINDING THE IDOR

While going through all url endpoints, i found an interesting endpoint url(r”^/(?P<question_id>\d+)/reply$”, views.reply, name=”questions.reply”)

It calls the function, views.reply. What makes this interesting is this part of the code

Here, you can see that if you provide a delete_images post parameter, it will delete any image with the id you provided in the delete_image parameter with no checks if the user deleting the image is actually the owner of the image. Compare this to the real image delete function

It has a proper authorization checks. Also, this functionality is not referenced anywhere in the front end since according to the mozilla team, the snippet is old.

So i reported it to mozilla bug bounty and asked their permission to actually try it in their staging server. And they agreed. After that, i was able to confirm the bug.

At the time of the report, support.mozilla.org is out of scope, but they still decided to reward me $1500 and added the domain in scope. You can read my whole report in https://bugzilla.mozilla.org/show_bug.cgi?id=1754966.

Thanks for reading, join the bounty hunter discord server: https://discord.gg/bugbounty

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

TryHackMe, Windows Fundamentals 1 writeup.

Achieving 360° Monitoring

Monetization: How to develop user Persona to enable an effective monetization strategy

SVX Token Leasing Market LIVE

Misunderstanding Web App Development — Faster Delivery or Quality

Daily used SQL query statements for PostgreSQL DBA

The Ninja console you deserve — How to install Cmder, WSL and Zsh in Windows 10

Distributed Systems Workshop at UT Austin by Vijay Chidambaram

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Roldan

Brandon Roldan

More from Medium

Bug Bounties in Sri Lanka

Interesting Stored XSS

Hacking with Rake

XSS Discovery and Exploitation With BurpSuite