Broken Access Control: IDOR

 Title    : IDOR To Update Personal Data Of Other Users
 Weakness : Broken Access Control - IDOR
 Severity : Medium (4-6) 
 Impact   : An Attacker Could Update Personal Data Of Other Users  
   
 Steps To Reproduce:
 1. Register two accounts (attacker,victim)
 2. Login to attacker account  
 3. Navigate to "User Profile" and update "Your personal data"
 4. Click on the "save changes" button and capture the request on BurpSuite
 5. Now change the Id parameter to victim id , and you successfully change victim personal data  

 Fuzzing Id Parameter:
 └─$ wfuzz -d 'message={"Id":"FUZZ","username":"POC"}&token=ey...' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -c -w ~/Desktop/fuzz-id.txt -u "https://www.target.com/xxx/updateUserProfile"  
 
 Reference:
 1. https://portswigger.net/web-security/access-control/idor  
 2. https://owasp.org/Top10/A01_2021-Broken_Access_Control