# Vulnerability Summary: IDOR Leading to User Profile Takeover (VULN-002) ## Vulnerability Overview * **Vulnerability Type**: Insecure Direct Object Reference (IDOR) * **Severity**: CRITICAL * **Affected Version**: Laravel 1.0 Invoice System * **Description**: The profile workflow uses a user-controllable `id` in the route without verifying whether the profile belongs to the currently authenticated user. An attacker can view or modify any user's profile data simply by changing the ID in the URL. * **Vulnerable Endpoint**: `/profile/{id}` (Supports GET/POST methods) ## Impact Scope * **Confidentiality**: Unauthorized access to other users' private profile information. * **Integrity**: Potential arbitrary modification of any user's email, name, and settings. * **Account Takeover**: Modifying the email address could lead to bypassing account recovery mechanisms. ## Remediation 1. **Bind to Authenticated User**: Resolve profile operations using `auth()->user()` instead of accepting the ID from the route. 2. **Authorization Policies**: Implement policies to ensure that the `user_id` matches the authenticated session. 3. **UUIDs**: Use non-sequential identifiers to prevent easy enumeration of user profiles. ## Proof of Concept (PoC) **POST Request Demonstration:** ```http POST /profile/1 HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded name=CompromisedUser&email=owned@example.com ``` **Exploitation Logic Explanation:** This request targets an arbitrary profile ID (`id=1`). The backend updates the record associated with `id=1` without checking if it matches the current `auth()->id()`.