> For the complete documentation index, see [llms.txt](https://h4cker404.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://h4cker404.gitbook.io/blog/invisible-and-non-deletable-the-danger-of-unchecked-ids.md).

# Invisible & Non-Deletable: The Danger of Unchecked IDs

Hello mates,\
I’m back again with a new write-up… but this one is a bit different.

It’s not about a single bug.\
It’s about a **pattern**.

A pattern that started with something simple…\
and ended with something I didn’t expect.

Let’s get into it :))

### Part 1 — When IDs Go Wild <a href="#id-2bd4" id="id-2bd4"></a>

While testing the collections feature, everything looked normal at first.

Create collection → works\
Edit → works\
Delete → should work

But like always… I got curious:

> *How much does the backend trust the `id`?*

So I intercepted the request and started playing with it.

* Encoded payloads
* Special characters
* Traversal-like values
* Even `#`

And surprisingly…

**Everything was accepted.**

### Exploitation <a href="#id-33d5" id="id-33d5"></a>

I sent a crafted request with a weird `id`.

**2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73**

Response? **200 OK.** Collection created successfully.

Then I tried to delete it.

* “Server isn’t responding…”

<figure><img src="https://miro.medium.com/v2/resize:fit:420/0*xRXOWCVzdTIh_UMm" alt="" height="114" width="382"><figcaption></figcaption></figure>

* “Could not remove collection.”

<figure><img src="https://miro.medium.com/v2/resize:fit:476/0*MYuHs90WYuP_B6W0" alt="" height="133" width="433"><figcaption></figcaption></figure>

No matter what I did… it was stuck.

Even when an **admin tried to delete it**, the same behavior occurred.\
A collection that **cannot be deleted by anyone**, not even privileged users.

### Wait… it gets better :)) <a href="#id-4c9f" id="id-4c9f"></a>

I pushed it further with `#` inside the ID.

The collection was created…\
but completely **invisible in the UI**.

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:770/0*rXlRjOxK-icTb-cK" alt="" height="267" width="700"><figcaption></figcaption></figure>

Via API? Still fully accessible.

<figure><img src="https://miro.medium.com/v2/resize:fit:762/0*ZvdyrvXYzpSuLDwg" alt="" height="649" width="693"><figcaption></figcaption></figure>

### Impact <a href="#d4a5" id="d4a5"></a>

* Non-deletable collections (affects admins too)
* Hidden collections
* Data that exists… but you can’t see or manage

> *You can create **ghost data containers** inside the system.*

### Root Cause <a href="#bcf5" id="bcf5"></a>

The backend **blindly trusts user-controlled IDs**\
without proper validation or normalization.

### The Unexpected Ending <a href="#ba12" id="ba12"></a>

The feature itself got **removed**,\
and the report was closed as **Informative**.

### Part 2 — Same Pattern, Different Target <a href="#id-3598" id="id-3598"></a>

Something stuck in my head:

> *If IDs are trusted there… where else?*

I found the same pattern in the commenting system.

### Discovery & Exploitation <a href="#id-6c0e" id="id-6c0e"></a>

I replaced my GUID with another user’s `commentGUID`.\
Sent the request. **200 OK.**

From my side… it looked like I replaced the original comment.\
After refreshing:

* Original comment → still there
* My comment → also there

Why?

> *The system relies on the **last stored ID** in the database for references,*\
> \&#xNAN;*so only the mapping changes without replacing the original content.*

Both comments were now tied to the **same GUID**.

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:770/1*da54tx70KwPwp02dtUIdmA.png" alt="" height="252" width="700"><figcaption></figcaption></figure>

### Impact <a href="#id-2ab6" id="id-2ab6"></a>

* Comment impersonation
* Confusing collaborators
* Injecting misleading content
* Breaking trust in shared discussions

Not destructive… but dangerous in collaborative environments.

### Root Cause <a href="#id-4571" id="id-4571"></a>

Same issue:

> *Backend trusting user-controlled identifiers*\
> \&#xNAN;*without validating ownership or context*

### Final Reality <a href="#id-7232" id="id-7232"></a>

Impact was **low**:

* No persistent overwrite
* No deletion
* Mostly reference-level manipulation due to how the DB maps the GUID

Still… it got validated and rewarded.

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:770/1*FwEcccvNugoAVGXKTIv6qA.png" alt="" height="606" width="700"><figcaption></figcaption></figure>

### Final Thought <a href="#id-46dc" id="id-46dc"></a>

This journey wasn’t about one bug.\
It was about noticing something deeper:

> *When the backend trusts your input…*\
> \&#xNAN;*even small control over identifiers can break logic in unexpected ways.*

From ghost collections\
to shared comment references manipulated

Same root cause. Different outcomes.

See you soon! Hope you found this write-up useful. More vulnerabilities coming soon, so stay tuned! Don’t forget to support, share, and follow me on [Twitter](https://x.com/Ahmed78752911). Thanks for reading!


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://h4cker404.gitbook.io/blog/invisible-and-non-deletable-the-danger-of-unchecked-ids.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
