BOLA / Mass Assignment on Profile Update

TaintedPort

Back to App
Vuln ID TP-018 Title BOLA / Mass Assignment on Profile Update Severity high Type IDOR HTTP Method PUT URL /auth/profile Parameter user_id Filename - Code Location backend/api/controllers/AuthController.php line 150

Description

The profile update endpoint accepts an optional user_id parameter. If provided, it updates that user's name instead of the authenticated user's.

Proof of Concept

{"user_id": 3, "name": "hacked"} as any authenticated user.

Remediation

Always use the authenticated user's ID; ignore client-supplied user_id.