Skip to content

IDOR Leak #4

New issue
New issue
Open
Open
IDOR Leak#4
@sengardeep

Description

@sengardeep
sengardeep
opened on Nov 24, 2025

Problem

The transaction history endpoint is vulnerable to an IDOR (Insecure Direct Object Reference) issue.
A logged-in user can modify the URL (e.g., /history/bob) and access another user's private transaction history.
This exposes sensitive financial data and violates user privacy.

Points: 30

Steps to Reproduce

  1. Log in as User A.
  2. Navigate to their own transaction history endpoint.
  3. Manually modify the URL to another user's identifier (e.g., /history/bob or /history/<AnotherUserID>).
  4. Notice:
    • User A is able to view User B’s private transaction history.
    • No authorization check is performed to ensure the requester owns the history being requested.

Expected Behavior

The endpoint should enforce strict authorization checks, ensuring:

  • The authenticated user's ID matches the ID in the requested history.
  • Users cannot view anyone else's financial activity.
  • If a mismatch is detected, the server should return a 403 Forbidden response.

Submission Guidelines

  1. Comment on this issue with your proposed solution approach.
  2. Wait for issue assignment from reviewers.
  3. Create a PR with clear, descriptive commit messages.
  4. Reference this issue in your PR description.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions