IDOR Vulnerability in Dictionary Endpoint — Arbitrary Deletion of User Items (€€€)

Hasan Khan

~2 min read · January 31, 2026 (Updated: January 31, 2026) · Free: Yes

Author: Hasan_Khan0x Reward: €€€ Program: Responsible Disclosure Bug Bounty Checklist Used: Ultimate IDOR Testing Checklist https://github.com/mrdesoky0/vulnerabilities/blob/main/Ultimate%20Checklist/Ultimate%20IDOR%20Testing%20Checklist.md

🔍 Summary

During a responsible disclosure program engagement, I discovered an Insecure Direct Object Reference (IDOR) vulnerability in a dictionary management endpoint. This flaw allowed authenticated users to delete dictionary items belonging to other accounts, without proper authorization checks.

The issue was validated, triaged, and rewarded with €€€

👨‍💻 About Me

I've been actively involved in bug bounty hunting since 2020, focusing on web application security and responsible disclosure & extanal Bounty Bounty Program I'm currently a CSE student at Uttara University, passionate about ethical hacking and community-driven cybersecurity learning.

🧠 Discovery Mindset

My testing approach focused on: - Inspecting endpoints where user-controlled IDs were passed in requests. - Targeting destructive actions (like deletion) that could impact user data. - Modifying parameters to check if cross-user access was possible.

I used the Ultimate IDOR Testing Checklist to guide my testing process.

📨 Vulnerable Request

The vulnerable request looked like this:

POST /a/wasp/app/1/dict HTTP/1.1
Content-Type: application/x-www-form-urlencoded
voiceid=261&btnitem_delete=&ids[188906]=188906&check[188906]=188906&search[188906]=khan&replace[188906]=hasan

By changing the ids[…] parameter to another user's dictionary item ID, I was able to delete their entry without authorization.

⚠️ Impact

-Unauthorized deletion of dictionary items. - Loss of personalized data without user consent. - Potential abuse in multi-user environments.

The server responded with HTTP/1.1 200 OK, confirming successful deletion even when the item didn't belong to my account.

🧪 Root Cause

The backend failed to enforce object-level authorization. While the UI restricted access, the server-side logic did not verify ownership before processing deletion requests — a classic IDOR flaw.

✅ Responsible Disclosure Program & Reward €€€

I responsibly reported the issue through the program. The security team validated and triaged the report, and I received a €€€ reward for the finding.

🧠 Key Takeaway

Authorization must always be enforced at the backend. UI restrictions alone are insufficient — without consistent server-side checks, IDOR vulnerabilities will persist.

🙌 Final Thoughts

This case demonstrates how small oversights in access control can lead to serious data integrity issues. Developers should implement strict backend authorization, and bug bounty hunters should always test destructive endpoints for IDOR.

🔗 Connect with Me - LinkedIn: https://www.linkedin.com/in/hasankhan0x - Twitter (X): https://twitter.com/Hasan_Khan0X

#bug-bounty-writeup #bugbounty-tips #bug-hunting #ethical-hacking #api-pentesting