When editing our review, it generates a PATCH request with the review ID and its new content. IDs aren't easy to guess but we get them from the reviews list API response
Broken access control / IDOR in comment ID
Similar to "forged feedback" and "forged review" but different.
| :heavy_check_mark: / :x: | Difficulty |
|:------------------------:|:-------------------------------------|
| :grey_question: | :star: |
| :grey_question: | :star::star: |
| :heavy_check_mark: | :star::star::star: |
| :grey_question: | :star::star::star::star: |
| :grey_question: | :star::star::star::star::star: |
| :grey_question: | :star::star::star::star::star::star: |
Attacker can use a different review ID and edit another user's review
The vulnerability already exists, but the challenge not.
I was thinking of solving this, by checking the user ID for that review is same as the user ID of the requester. Please let me know if it can work
I think that would work yes 馃檪
This is already covered by the "NoSQL Manipulation" challenge, which is about editing multiple reviews at once using a NoSQLi payload on the mentioned PATCH request.
See https://pwning.owasp-juice.shop/appendix/solutions.html#update-multiple-product-reviews-at-the-same-time
Oh indeed! I was looking for simple broken access control that's why!