A security researcher discovered an IDOR vulnerability in the purchase order cancellation endpoint at mokapos.com. An authenticated user can cancel another user's purchase order simply by replacing the PO ID in the cancellation request, as the server performs no ownership or authorization check. The write-up details reproduction steps, the affected PUT endpoint, and the potential business impact including unauthorized cancellations and financial disruption. The report was ultimately marked out of scope by the vendor.
Table of contents
SummaryGet Abu Idris Al-Muhaqqiq’s stories in your inboxAffected EndpointUsersSteps to ReproduceImpactTimelineSort: