IDOR Leads to Full Account Takeover

Howdy felow hackers,
I’m Abdelfattah Ibrahim (T-PWN), Security Researcher @ CESPPA.
This is my second writeup ’cause I usually don’t have much time to write down my findings, but i’ll be trying to change this soon.

a few days ago i recieved a new pentest project from CESPPA, so i started exploring my target and after some time i came up with this finding; wich made me able to escalate my permissions from being just a viewer on X company’s account to be SUPER ADMIN on any other compay’s account on the platform.

The vulnerability was an IDOR that makes you able to claim any invite that was ever sent to anyone (even if it was claimed before) i can still claim it over and over again.

i was given an account with superadmin permissions already, so i sent an invite to my personal email and started to sign up while i was intercepting and reading the requests and this request came up

POST /invites/accept_invite/ HTTP/1.1
HOST: target.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:62.0) Gecko/20100101 Firefox/62.0
Cookies: XXXX

CSRF_TOKEN=XXX&inviteId=823

the inviteid parameter got my attention. without even thinking i checked if there’s an IDOR right in there. i changed the id to 822 (the previous invite) and YIKES! got Super Admin instead of just Admin. here we go IDOR is confirmed right now let’s just take this to a higher level. i copied the url and pasted it in my browser with my burp intercepter on, changed the request Method to POST and added my data “CSRF_TOKEN=XXX&inviteId={ID}” 
and then started to send some requests with some different values for inviteid parameter and then i found myself superadmin on a huge number of companies.

so it was not required to be invited to reproduce the vulnerability, it’s just like i’m a viewer who will just send one request to be Super Admin on any account!

I hope that you guys enjoyed and benefited from reading this, we’ll meet again soon!