Vulnerability that allowed me to delete more than 2 lakh and half records from there database

Today I will write about an Insecure Direct Object Reference Vulnerability I found in XYZ Suggestions Board suggestions.xyz.com

This vulnerability escalated my privilege to empty the tables of topics, comments in the database, I was able to delete any topic or comment

Comments: 1,155,000

Posts: More than 365,000 Posts

But when they announced that they will release the Bug bounty program, i decided to find some vulnerabilities into XYZ websites again

I started testing Suggestions.XYZ.com,

It’s something like XYZ answers, Users send questions and receive the answers

Firstly i added comment to post of someone
I found that i can delete my comment, so i opened Live HTTP Headers to check what happens when i delete my comment,
POST Request

prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment

There were 5 parameters

prop= category
fid= topic id
crumb = something like session
cid = Comment id
cmd= the method

I opened another browser, signed in with another account and posted other comment,

Then, i got the id and changed it in the post request and replayed it again via Live HTTP Headers, the comment of the other account deleted successfully

First Vulnerability

Then moved to suggestions topics, I added a new topic and found also that i have the ability to delete my post so, when i deleted it, i captured the request But, it was like this

POST cmd=delete_item&crumb=SbWqLz.LDP0

mmmmmm, the POST Request is not like the previous one, when i deleted comments of the others i changed the comment id to the one i want to delete But here there is no id to change

I guess that the developer forgot to add it

,Simply i added topic parameter to the request to be like this

POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx

I replayed the request again, and the topic deleted successfully

I was able also to write comments by using XYZ users accounts

It was easy to write script to delete all the topics from id number 1 to the last one,

I thought what about if a black hat hacker got this one, He would delete 1,500,000 records entered by XYZ users

The Vulnerability fixed and received the Bounty from 2 days, It was easy to find