PR REVIEWInsecure Direct Object Reference (IDOR)#389AirbnbDropbox
00:00Junior~12 min
PULL REQUEST
Open#389 · 1 commit
Insecure Direct Object Reference (IDOR)
junior-dev-99 wants to mergefeature/invoice-downloadmain
JU
junior-dev-99
1 file changed · 6 days ago
YOUR MISSION
A security researcher privately reported they can download any user's invoice by changing a number in the URL. A junior dev wrote this endpoint last sprint. It passed code review — but the bug is sitting in plain sight.
Junior~12 min
HINTS (0/3 used)
REVIEWING AS
SR
Senior Engineer
@ Airbnb · Backend Platform
src / routes / invoices.js+5 0
3
3
router.get('/invoices/:id', requireAuth, async (req, res) => {
4
4
const { id } = req.params;
5
+
const invoice = await db.query(
+
6
+
'SELECT * FROM invoices WHERE id = $1', [id]
+
7
+
);
+
8
+
if (!invoice.rows[0]) return res.status(404).json({ error: 'Not found' });
+
9
+
res.json(invoice.rows[0]);
+
5
10
});
Click any changed line (+/−) to flag an issue · or Approve if everything looks safe