BOOK THIS SPACE FOR AD
ARTICLE ADHellooooo hakurzzzz,
Let’s continue the story from 👇👇
So the application is redacted.com. That was sending a API request to a end point when a employee submitting his appraisal form, the request looks like
POST /api/employeeApraisal?id=0&abc=&bcd=...
...
If you see in the url, It is sending the id as `0`, to the `employeeApraisal`, and If I dig deeper that was not my ID, that was just kept as 0, and My ID was 535, I was shocked to see that…
Then I though of creating anothere user and checking his ID, and I took his ID which was 493.
Now I sent the same request (see part 1 to know how I modified the final submission) by setting all the ponts at max, but I captured the request in burp suite and modified like 👇
POST /api/employeeApraisal?id=535&abc=&bcd=...
...
and Bhoom!!!,
My previsouly set Average Rating are Increased, and I was like 😈.
Understanding what was happening
Actually the managers rating for a employee is set by making the API request with the `id={employeeID}`but when a Employee for himself making a request it was set to 0, and the backend was taking the ID from the JWT token. For this reason when we changed the ID value we could able to modify the data even for any user we could do this.
Impacts: