.png)
8 months ago
59 BOOK THIS SPACE FOR AD
ARTICLE ADHi team,
Under normal circumstances, project manager level users cannot see the login activities of other users (including administrator) in the REDACTED application.
As you can see in the picture, the project manager user cannot see other users and their login activities in the application. They can only see their own user information.
However, the same screen will be seen like this for the administrator user. Here you can see that only the administrator user has the right to see login activities. No other authority can see users’ login activities.
However, I found a IDOR vulnerability here. Even if the project manager user does not have access, they can see the login activities of all users in the organization, including the administrator user.
Steps-
1- Log in as the project manager and verify that you cannot see other users in the ‘users’ area and that you cannot access any user’s login activities.
2- Now you can go to the ‘project’ or ‘jobs’ area, you will be able to see the name of all users who have created any items in these areas. For example:
3- Now open Burp Suite and Intercept. Go to the project or jobs area again. Capture the requests. Right click on the request in the image and view response.
4- You will see the admin or target user’s UID information in the response section of the request. Now you have the ID information of the target, copy it.
5- Now go to login history and replace it with the ID of target. However, there is no vulnerability here, you will receive an access error as in the picture. I also added this step to show that this is a valid vulnerability.
6- Now add the UID you copied to the vulnerable URL below and send the request:
https://redacted.com/web/user/download/USER-UID
( This endpoint is obtained by downloading the user’s own login history in the login history field.)
You will be able to see the login and logout activities, IP addresses and user agent information of the target user, including the admin user.
Bengali (Bangladesh) · 
English (United States) ·