IDOR Leads To Project Takeover
It's all about Changes
This is my second bug bounty write up of how i managed to takeover a victims project using collaboration Invite.
A redacted.com is running a online project management service and people can post comments,images,files etc of their work on a single project. The admin of the project can add users as collaborators of the project.
The request of the collaboration invite was like this..
POST /project_api/project_invitation HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
And when i saw the request i thought..What If I
So we have 3 Request Parameters:
I Changed the request to:
project_id= Victims Project ID
role=0 (0=Owner, 1=Editor)
emails= My Email
I forwarded the request and ..
Checked my inbox and there it was ..A Collaboration Invite to the victims project as a owner . I was able to edit, delete, add more users, remove the original owner of the project etc
And i was like
I immediately reported the bug and recieved a good 3 digit bounty :)