Reverting any post’s reaction back to “0” on one of the Largest Community For Developers “Hashnode”
Hi everyone ,
Its me Suvam Adhikari a tech enthusiast kid . In this short writeup I will be sharing you , How I was able to revert arbitrary number of reactions on any post on one of the largest community for developers “Hashnode”.
Hashnode is a free content creation platform and community that allows users to publish articles.
Whenever any user reacts on any user’s post following POST request was sent. The POST request sent when user reacted or unreacted on any post was same.
So , I sent the request to intruder and and set position on following header value .
Accept-Language: en-US,en;q=0.§5§
I used sequential numbers from 1 to number double than reactions on the post as payload and set the maximum number of cuncurrent request to 30 and started attack.
And , I refreshed the page to see what actually happens.I was shocked to see that all the 50 heart reactions vanished.I also created few test account to see what actually was happening and found that the post was automatically unliked by user who had reacted before after performing the attack. Similarly , attacker could have reverted all other reaction in one click just by making a list of 9 reaction_Id and changed attack type to Cluster Bomb .
I immediately created a short report about the issue and I sent them . The issue was fixed within 2 weeks and they thanked me with a lousy t-shirt.
I hope you enjoyed the short writeup.See you soon in the next writeup.
./logout.sh
