BugForge - Daily - Copy Pasta (Repeat)
BugForge - Daily - Copy Pasta (Repeat)
Daily - Copy Pasta (Repeat)
This is a repeat of the daily challenge from January 14th, 2026.
Vulnerability Overview
An IDOR (Insecure Direct Object Reference) vulnerability in the delete functionality of the Copy Pasta snippet sharing application allows users to delete snippets belonging to other users. The delete endpoint accepts a snippet id as a query parameter without performing ownership validation, enabling enumeration of IDs and unauthorized deletion of other users’ snippets, ultimately leading to flag retrieval.
Key Issues:
- The delete endpoint does not validate snippet ownership before processing requests
- Snippet identifiers are passed as user-controlled query parameters
- Authorization controls are inconsistently applied - update requests are properly restricted, but delete requests are not
Vulnerabilities Covered
- IDOR (Insecure Direct Object Reference)
Classification
- OWASP Top 10: A01:2021 - Broken Access Control
- Vulnerability Type: Insecure Direct Object Reference (IDOR)
- Attack Surface: Snippet delete endpoint
- CWE: CWE-639 - Authorization Bypass Through User-Controlled Key
This post is licensed under CC BY 4.0 by the author.