![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
.webp?#)
![Apple Considers Delaying Smart Home Hub Until 2026 [Gurman]](https://www.iclarified.com/images/news/96946/96946/96946-640.jpg)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
From debug mode enabled to PII disclosure via BFLA
Today I bring a recent case, when analyzing the authentication flow of an application, I observed a call to an API endpoint from a "forgotten" subdomain (unfortunately I can't give more details). It was immediately clear that it was an API in Django REST Framework and that debug mode was enabled and some endpoints were also revealed. By accessing the /swagger route, I got information about requests and parameters, such as reading information from organizations. The point is that the "id" parameter was a large and unpredictable number, so it was necessary to know the identifier of an organization to query its information. The DELETE and POST methods were also documented (although POST was disabled). Interestingly, when sending a request omitting the "id" parameter, information about all organizations was returned: curl https://redacted.com/api/organization?id=&format=json In other words, a Broken Function-Level Authorization since without any type of authentication it was possible to access data from all organizations!
Today I bring a recent case, when analyzing the authentication flow of an application, I observed a call to an API endpoint from a "forgotten" subdomain (unfortunately I can't give more details).
It was immediately clear that it was an API in Django REST Framework and that debug mode was enabled and some endpoints were also revealed.
By accessing the /swagger route, I got information about requests and parameters, such as reading information from organizations. The point is that the "id" parameter was a large and unpredictable number, so it was necessary to know the identifier of an organization to query its information. The DELETE and POST methods were also documented (although POST was disabled).
Interestingly, when sending a request omitting the "id" parameter, information about all organizations was returned:
curl https://redacted.com/api/organization?id=&format=json
In other words, a Broken Function-Level Authorization since without any type of authentication it was possible to access data from all organizations!
