作者发现某平台存在不安全直接对象引用(IDOR)漏洞,在图像删除端点处未验证用户身份。攻击者通过修改`img_id`参数可删除任意用户的图像,导致业务受损和用户信任下降。 2025-9-10 06:2:41 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏
Hello folks,
I’m Mahmoud El Manzalawy, a penetration tester and bug bounty hunter who enjoys discovering vulnerabilities in my free time.
In this write-up, I’ll walk you through How I found Insecure Direct Object Reference (IDOR) in Image Deletion Endpoint .
While testing the platform’s product ad posting feature, I found that the application allows users to upload and delete images for their ads. During this process, I inspected the page source and noticed how the image deletion functionality works.
view page source
Press enter or click to view image in full size
I Found The JavaScript responsible for image removal is
$("body").on("click", ".remove_pic", function() {
var img = $(this).parent().find("img");
var img_id = img.data("id");
parent = $(this).parents("li");
current = $(this); void 0 != img_id && $.ajax({
url: "/post/deleteimage?Id=" + img_id,
type: "get",
dataType: "json",
complete: function (jqXHR, status) {
data = jqXHR.responseText;
data = $.parseJSON(data);
if (data.success === 0) {
alert(data.message);
is_delete = false;
} else {
is_delete = true;
parent.animate({opacity: 0}, 100, function() {
current.remove();
});
}
}
});
});
Root Cause
The deletion request is triggered via a GET request to:
url: "/post/deleteimage?Id=" + img_id,However, the server does not validate whether the image being deleted actually belongs to the currently authenticated user. Instead, it relies solely on the imageId parameter provided by the client-side code.
Since image IDs are predictable, e.g
https://site.com/images/product/thumb_931887_158_100.jpg?v=1The identifier here is 931887, which can easily be enumerated or modified.
Exploitation
By manipulating the img_id parameter in the request, an attacker can delete images uploaded by other users without their consent.
GET /post/deleteimage?Id=931887Steps I followed to confirm the vulnerability:
1. Crafted a request with an arbitrary img_id.
2. Directly accessed the vulnerable endpoint by passing the chosen img_id.
3. Opened the crafted URL → the image was successfully deleted.This clearly demonstrates that an attacker could delete any user’s product image without proper authorization.
Press enter or click to view image in full size
Press enter or click to view image in full size
Impact
This vulnerability allows an attacker to:
- Delete other sellers’ product images.
- Potentially perform mass deletion of product images.
- Severely disrupt business operations and harm user trust.
Thank you for reading my write-up!
See you soon with another interesting bug write-up! Stay tuned 🚀 😄
Feel free to follow me on Medium , Linkedin and X: @is4curity
Happy bug hunting!
./Egypt 🇪🇬
如有侵权请联系:admin#unsafe.sh