Exploiting a Vulnerable Web App: Redirect, IDOR & XSS in One Go

While poking around a Flask-based web app, I stumbled upon a combination of vulnerabilities that turned into a full exploit chain. The app looked basic on the surface — login, dashboard, some upload functionality — but under the hood, it had some serious issues.

Open Redirect

The first thing I noticed was an endpoint that redirected users to another URL based on a query parameter. There was no validation at all. This meant I could craft a link that would send anyone clicking it straight to a malicious site — perfect for phishing or chaining with other attacks later on.

IDOR (Insecure Direct Object Reference)

Next, I found a user info endpoint that took a user ID in the URL. But it didn’t check whether I was authorized to view that user’s data — it just returned it if the ID existed. So once logged in, I could change the ID in the URL and see data for other users. That’s a textbook IDOR vulnerability.

XSS (Cross-Site Scripting)

On the dashboard, there was a form that reflected input back into the page without any kind of sanitization. This opened the door to cross-site scripting. I was able to inject a simple script and have it execute right away. With a little creativity, this could be used to steal cookies, session data, or launch other attacks against users.