Syaqui Collegetivity Insecure Direct Object Reference Vulnerability Allowing User Impersonation

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Syaqui Collegetivity application, version 1.0.0. This vulnerability exists in the '/dashboard/notes' endpoint, where attackers can impersonate other users and perform arbitrary actions by sending a crafted POST request. The issue arises because the 'user_id' parameter is not properly validated or encrypted on the server side, allowing unauthorized users to manipulate user identities and associated data.

Impact

Exploitation of this vulnerability allows attackers to impersonate any user, including administrators, and perform actions on their behalf, such as creating or modifying notes. This could lead to unauthorized access or changes in user-specific data, depending on how the application utilizes the 'user_id' parameter.

Reproduction

To reproduce this vulnerability, first create a 'Catatan Pelajaran' as a regular user through the application interface. Then, intercept the HTTP POST request using a proxy tool like Burp Suite. The intercepted request will include a 'user_id' parameter that can be easily modified. Replace the 'user_id' value with that of another user, such as an administrator, and resend the request. The server will process the request as if it came from the substituted user, allowing the attacker to create or edit records on their behalf.

Remediation

To address this vulnerability, implement server-side authorization checks to ensure that users can only act on their own data. Avoid relying on client-supplied identifiers for authorization decisions. Additionally, consider logging and monitoring for unusual activity, such as attempts to impersonate other users.