Today I bring a recent case, when analyzing the authentication flow of an application, I observed a call to an API endpoint from a "forgotten" subdomain (unfortunately I can't give more details).
It was immediately clear that it was an API in Django REST Framework and that debug mode was enabled and some endpoints were also revealed.
By accessing the /swagger route, I got information about requests and parameters, such as reading information from organizations. The point is that the "id" parameter was a large and unpredictable number, so it was necessary to know the identifier of an organization to query its information. The DELETE and POST methods were also documented (although POST was disabled).
Interestingly, when sending a request omitting the "id" parameter, information about all organizations was returned:
curl https://redacted.com/api/organization?id=&format=json
In other words, a Broken Function-Level Authorization since without any type of authentication it was possible to access data from all organizations!
Top comments (0)