Don’t overlook any parameter, because the vulnerability lies within!

Hello hackers,

Today’s article is about privilege escalation.

It’s not too difficult; simply put, don’t overlook any parameter in the data packets.

Let’s get to the point!

The target is a survey system where we can create surveys, publish them, and save drafts.

So, I first tried to see if it was possible to view other users’ unpublished surveys without authorization.

Obviously not, as you can see from the image below. If you don’t understand Chinese, it’s fine; you can notice that the packet returned ‘false’.

When I tried to delete a survey created by another user without authorization, the packet again returned ‘false’.

Is there really no way around it?

Let’s take another look at the data packets:

https://target.com/survey/del?surveyId=5155887738554695&answerId=5155887738554695&type=1&registerSource=2&userIdType=1

Maybe you, like me, noticed the ‘userIdType’ parameter.

Yes, I iterated over this parameter, and when ‘userIdType=4’, the packet returned ‘true’.

Next, I began writing the report and submitted it, earning a high-risk reward of 1500 RMB.