- Status Closed
-
Assigned To
cbay - Private
Opened by anoopsingh2807 - 06.08.2025
Last edited by cbay - 06.08.2025
FS#200 - Server Security Misconfiguration in Action
Bug Theory
Server Security Misconfiguration happens when an app exposes sensitive functionality without proper controls. In this case, the platform allowed account deletion without any password confirmation, which is a clear misstep in authentication logic.
Even though the user is logged in, critical actions like deleting an account should always require re-authentication to prevent abuse via stolen sessions, CSRF, or insider misuse.
Step
Navigated to the Account Settings after logging in as a regular user.
Clicked on “Delete Account”.
✅ Expected : The application should prompt the user to re-enter their account password, or at least send an OTP/email confirmation before deleting the account.
❌ ActualThe account was deleted instantly without any verification — just a single click and the user data was gone.
That’s it. No alerts. No hesitation.
Business Context Impact
Because this platform is used to coordinate offline car transactions, accounts are tied to:
Active car listings
Buyer/seller chat history
Scheduled meetings or test drives
Deleting an account disrupts the entire transaction process, damages user trust, and may result in financial losses or wasted in-person efforts.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task