Description
The application allows users to delete their own videos through a specific endpoint that relies on a video_id parameter.
However, due to improper authorization checks, it was possible to manipulate this parameter and delete videos belonging to other users.
Exploitation Steps
1. Capture Delete Request
- Delete a video from your own account.
- Intercepting the request using Burp Suite.
request:
POST /api/deleteVideo
{
"video_id": "a7c3d9e1"
}2. Challenge
- The main Challenge was that I couldn't delete a victim's video directly, that the
video_idvalues were random and unpredictable. This made it impossible to guess or brute-force the correct ID needed to target a specific video.
3. Bypass via Like Functionality 💡
- Like any target video from the victim's profile.
- Intercept the like request using Burp Suite.
Example:
POST /api/like
{
"video_id": "9f8a7b6c"
}- Extract the
video_idfrom this request.
4. Exploit
- Replace your own
video_idin the delete request with the victim'svideo_id.
POST /api/deleteVideo
{
"video_id": "9f8a7b6c"
}✅ Result: The victim's video is deleted successfully.
Root Cause
The server fails to validate whether the authenticated user owns the video_id being passed in the delete request.
Impact
Unauthorized deletion of any user's videos
Mitigation
Enforce strict ownership checks on the backend:
- Verify that the authenticated user owns the
video_id - Avoid exposing sensitive object identifiers unnecessarily.