Description

Reset API any user without taking action from him via IDOR

Proof of Concept

1- Create a user

2- Go to setting

3- Open Burp Suite to object to the requisition

4- Click on it Reset API

5- This is the body request > {“id”:101,“resetOpenId”:true}

6- When changing the “id”, for example “102”, and sending the request, we notice that the request has been approved and the API is reset with showing the new API to the user, and this is also something that should not happen be shown

More clarification

I have a user named TEST, when I make a Reset API for him, I will intercept the request, and I will notice that I have a parameter in the body request with the name “id=101”. When it is changed to any number, for example “102”, the Reset API will happen to the user whose “id” is 102