Hello, I’ve just started learning about web penetration testing and bug hunting so I’m not sure if what I found is a vulnerability or if it is just a normal behaviour. I was testing a small social network which has the feature of following users and liking their posts and what I discovered is that if you intercept the POST request which is sent to set the following, you can change the user id of the profile you will be following but the web page renders the button clicked, not checking if the user being followed is the owner of the profile page you’re actually on. Obviously if you refresh the page, the button is again clickable but the ‘injected’ user is being followed, without the user noticing. Thank you in advance for your answers.
Can you provide with more information it’s not clear?
1 Like
By the way you are describing it,it not seems like a bug to me…
1 Like
Yeah, I think it’s not really a bug.
By the way, I meant that you basically have a POST request in which you can modify the ‘user_id’ variable and the UI of the website doesn’t check what happened on the server side and changes the button to the ‘following’ state. When it’s refreshed it reloads the info from the server so it shows the real status of the button.
On the basis of the information provided by you i can say that this seems like a clickjacking attack to me. Also it’s an servers side validation error as the web server doesn’t validate the information supplied by the user and performs tasks that it is not intended to. You should dig more deep to get more valuable vulnerability.
This line isn’t clear to me.
Kinda sounds like IDOR maybe go into more detail ?