Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by asad - 22.11.2025
Last edited by cbay - 24.11.2025

Description:

The /user/delete/ endpoint allows deleting an account by sending a POST request. By replacing the sessionid cookie with that of another user, it is possible to delete any user account without knowing their password or performing any authentication.

This indicates a broken authentication / session management vulnerability where the server blindly trusts the sessionid cookie for critical actions.

Steps to Reproduce:

1.Log in as the victim account.

2.Obtain the victim’s sessionid.

3.In another browser/session, log in as the attacker.

4.Capture the delete account request: POST /user/delete/

5.Replace the attacker’s sessionid in the Cookie header with the victim’s sessionid.

6.Send the modified request.

7.Observe that the victim account gets deleted.

“Note: An attacker can brute-force these session IDs with the help of AI.”

Impact:

An attacker can delete any user's account by guessing or brute-forcing session IDs and using them in the delete request.

*Any attacker with a valid sessionid can delete any user’s account.

*No password, no verification, no re-authentication.

*Leads to complete account loss and permanent data deletion.

Severity: Critical (P1).

Recommended Fix:

*Bind session to user identity server-side and reject modified session cookies.

*Require full re-authentication (password) for account deletion.

*Add strict CSRF validation and session consistency checks.