GoJobs Insecure Direct Object Reference Vulnerability in Job Retrieval Endpoint

An insecure direct object reference vulnerability has been identified in GoJobs, a REST API for a job board platform. This vulnerability allows unauthenticated users to access job details by manipulating object identifiers. The job retrieval endpoint lacks proper authentication and authorization checks, leading to unauthorized access to job data. The issue affects all versions of the application.

Impact

The vulnerability allows unauthorized access to job data, enumeration of data through predictable IDs, potential scraping of platform data, and exposure of internal business information.

Reproduction

The vulnerability can be reproduced by sending a GET request to the job retrieval endpoint with a specific job ID. No authentication headers are required. The response will include the job details for the specified ID, demonstrating the unauthorized access.

Remediation

To address this vulnerability, it is recommended to require authentication for accessing job details, implement authorization checks based on user roles or ownership, avoid direct exposure of sequential object identifiers, consider using indirect references such as UUIDs, and implement rate limiting to prevent enumeration.