Juicy Shop

Forged Product Review (IDOR)

Broken Access ControlA01:2021 – Broken Access Controlmedium

Vulnerability

The review endpoint trusts an `authorId` supplied in the request body instead of deriving it from the authenticated session. By changing that field, an attacker can post reviews attributed to any other user — an Insecure Direct Object Reference (IDOR) that lets them impersonate victims and forge content. The same class of flaw allows tampering with or deleting resources owned by others.

Exploit Steps

  1. Log in as any user and navigate to a product page
  2. Intercept the POST /api/reviews request with Burp Suite
  3. Modify the authorId field in the request body to another user's profile ID
  4. Forward the request — if the server trusts the client-supplied authorId, the review is posted as that user (IDOR)

Tools: Burp Suite, browser devtools, curl

Mitigation & Solution

Never trust client-supplied user identity fields. Always derive the author from the authenticated session on the server. Validate that the session user matches the resource owner before mutation.

Coding Challenge

Find It

File: apps/juicy-shop/src/app/api/reviews/route.ts

Click the line that contains the vulnerability:

Fix It