|
Task Description
Description:
The /user/delete/ endpoint allows deleting an account by sending a POST request. By replacing the sessionid cookie with that of another user, it is possible to delete any user account without knowing their password or performing any authentication.
This indicates a broken authentication / session management vulnerability where the server blindly trusts the sessionid cookie for critical actions.
Steps to Reproduce:
1.Log in as the victim account.
2.Obtain the victim’s sessionid.
3.In another browser/session, log in as the attacker.
4.Capture the delete account request: POST /user/delete/
5.Replace the attacker’s sessionid in the Cookie header with the victim’s sessionid.
6.Send the modified request.
7.Observe that the victim account gets deleted.
“Note: An attacker can brute-force these session IDs with the help of AI.”
Impact:
An attacker can delete any user's account by guessing or brute-forcing session IDs and using them in the delete request.
*Any attacker with a valid sessionid can delete any user’s account.
*No password, no verification, no re-authentication.
*Leads to complete account loss and permanent data deletion.
Severity: Critical (P1).
Recommended Fix:
*Bind session to user identity server-side and reject modified session cookies.
*Require full re-authentication (password) for account deletion.
*Add strict CSRF validation and session consistency checks.
|
