IDOR+Privilege Escalation+No Rate Limit+Business Logic into a Single Vulnerability

1 month ago 24
BOOK THIS SPACE FOR AD
ARTICLE AD

Hossam Hamada

Hello everyone ,
I’m Hossam Hamada, Today I would like to share with you one of my discoveries in HackerOne ’s program

Let’s say : https://example.com

At the beginning, I would like to clarify what the target is. The target serves individuals interested in design and is an environment that provides them with design tools.

Nature of the Target

Let’s assume we are a team that decided to work on this program. Each of us can create a free account, and we can come together in one team. There is definitely a leader for this team. The leader will create the team and act as the admin. This admin will invite us and assign each of us specific permissions.

Permissions

The permissions consist of:

- Admin: The leader with full permissions.
- Editor : A person allowed to edit projects.
- Viewer: A person allowed to view only.

Naturally, the admin is the leader, and we will primarily have editing permissions. This means we can work on projects within this team, but we cannot change team settings, such as changing the team name or altering permissions.

Types of Teams

There are three types of teams:

- Free Team
- Student Team
- Professional Team

Differences Between Teams

The free team has specific limitations:

- It can create one project with only three files inside.

In contrast, both the student team and professional team can create an unlimited number of projects and files. The student team is specifically designed for students and does not require payment. When you indicate that you are a student, you receive the same benefits as the professional team, but for free.

This clarifies the nature of the target.

Let me explain how I came up with the idea and how I analyzed the program to find the vulnerability.

At the beginning, I created an account and logged in. I decided to create a team, and the types of teams I could create were presented to me. I understood the types of teams and their permissions, as mentioned earlier. I created a free team, which allowed me to create only one project with three files inside, as I mentioned before. I thought, why not try to create four files and see what happens?

I created three files, and when I tried to create the fourth, it prompted me to upgrade the team to either Professional or Student. I decided to upgrade it to Student and thought I would intercept the request to change the team from free to Student to understand the details of the request and how it works.

Intercepting the Request

I intercepted the request and noticed a parameter called `student_team` with a value of `true`. When I sent the request, it successfully converted the team to a student team.

I thought about what would happen if I changed the value from true to false, and I tried it. The result was that the team reverted back to free. I wondered if this behavior was normal, as I couldn’t find any button or option to switch the team from Student back to Free. This led me to suspect that it wasn’t intentional and could potentially cause a problem.

I thought about what would happen if we converted the team to Student and then created a project with, for example, five files, and then reverted the team back to Free. Since a free team can only have three files, as I mentioned before, I tried it. The surprise was that it blocked the entire team, including the admin, from editing any projects.

So, we had two options:

- Either we delete 2 files from the 5 to reduce them to 3, which would unblock the team and allow us to work on the project again. This is a disaster because those files might contain important work, and losing them would be catastrophic.

- Or we could revert the team back to Student and continue our work as if nothing happened.

So, all of this while I’m trying to understand the logic behind the target, and there’s no impact at all. The goal is to understand the admin’s permissions better and delve deeper.

Shall we continue? Let’s continue!

Let’s dive deeper into the experiment, this time as a team member with edit permissions only.

Steps to Explore

Create a free account.Set up a free team, making this the team admin.Create a project.Create another free account.And we sent him an invitation through the admin, giving him only edit permissions.

Since I have edit permissions, I can create files normally. I thought again about what would happen if I created 4 files inside this free team. Would it prompt me to upgrade the team to Student like it did with the admin? And would I be able to convert it to Student as well, or is it only the admin who is allowed to do that?

I tried it, and indeed, it told me that I could convert the team from Free to Student. I successfully changed the team from Free to Student.

This is essentially the same request as before, containing the same parameter, `student_team`, with a value of true. If I change it to false, it will revert back to Free.

So far, there’s no impact.

I had an idea

What would happen if I were a member of a Student team with only edit permissions, and we were actually working on this team on multiple projects and more than 3 files, and I converted the team from Student to Free?

As we mentioned before, the entire team, including the admin, should be blocked, which would be a disaster.

This way, I could control the admin and make them lose control over the team at any time, completely disabling the team whenever I wanted.

Important things that will help me in this attack:

There is no record of team conversions from Student to Free or vice versa, so no one will know who is making these changes.

Additionally, there is no clear option or button to convert the team from Student to Free, which makes it a strange situation for them. This could lead to problems within the company, and no one would understand what is happening.

Let’s try this attack and see if it will succeed or not

Let’s summarize the steps I took:

1. Assume I’m in a student team with edit permissions only.
2. Create another free team.
3. Convert the team from free to student and intercept the request.
4. Note that the request contains the team ID, which I can change to the ID of the other team where I only have edit permissions.

5. Change the value of the parameter `student_team` to `false`, reverting the team back to free.
6. Send the request.
7. The response is 200, confirming the team has been converted to free.
8. Upon entering the team where I only have edit permissions, I found that the entire team was blocked, necessitating either the deletion of extra files or converting the team back to student.

So far, the impact isn’t huge because after I convert the team from Student to Free, it’s easy for them to quickly resolve the issue by converting the team back to Student. Yes, it’s easy for me to repeat the attack and block them again, but they can also convert the team back to Student once more.

I thought of an idea:

if there is no rate limit on sending requests to convert the team from Student to Free, this would help me disable the team for a long period. They would remain blocked based on the duration I specify.

Let’s try and see if there is no rate limit or not.

I took the request to convert the team from Student to Free and sent it to the Intruder. I tried sending 400 requests, and indeed they were sent, all receiving a response of 200, with no block or change in the response at all. This confirms that there is no rate limit on sending requests.

From this point, I thought if I wanted to disable the team for 3 hours, I could send 1800 requests with a 6-second interval between each request. This way, every 6 seconds, a request would be sent to convert the team to Free. If the team is blocked and the admin tries to convert it back to Student to unblock it, the moment they do, it will be blocked again. Consequently, they won’t know where the problem is or who is causing it. Thus, we can run the attack for as long as needed, effectively disabling the team for any desired duration.

And here we reached a good impact. This was the end, and I hope you benefited. Have a great day!

Read Entire Article