BFLA Lead to Delete Any User in The System

Mostafa Elguerdawi
3 min readSep 11, 2023

--

Hello I’m Mostafa Elguerdawi, This Write-up about one of my recent reports I will explain how I find it from zero, So Let’s start.

First let’s say my target was redacted.com

Find sub-domain from Shodan

I decided to get my target favicon hash in order to find more sub-domains through shodan

First I wen to https://redacted.com/favicon.ico and checked from the favicon.

Then I got favicon hash using this python code :

import mmh3
import requests
import codecs
url = input("Enter URL >> ")
response = requests.get(url)
favicon = codecs.encode(response.content,"base64")
hash = mmh3.hash(favicon)
print(hash)

Last I went to shodan and submit this query : http.favicon.hash:<favicon-hash>

I found some new subdomains, After some testing I found one that appears to be admin panel.

Login with default credentials

I tried some default credentials but one is worked admin:admin

After success login I didn’t find any important data or any thing can cause critical impact.

I decided to check Burp Suite history requests, and I found interesting one

I sent it to Repeater

I played around a bit with this endpoint until I got to know all the users on the site by change endpoint from /api/v1/users/admin into /api/v1/users/ only!

BFLA: Broken Function Level Authorization

So what is BFLA?

BFLA is a common issue that’s found though is Broken Function Level Authorization (BFLA), and this sits at the OWASP API Top 10 2023 Candidate list in position number 5. Let’s take a closer look at this vulnerability.

BFLA allows unauthorized users to access functionality in API endpoints that should be restricted. The payloads used during these attacks often look completely legitimate and pass-through controls such as Web Application Firewalls.

For more details about BFLA

Normal request :

Next I tried BFLA to delete another user that I don’t have access to it.

All I did change GET /api/v1/users/user into DELETE /api/v1/users/user

Yes I only changed the Request Method from GET to DELETE.

Back to GET /api/v1/users/user

And I have successfully deleted the user

--

--