IDOR Leads To Project Takeover

Jun 9, 2019 · 1 min read

It's all about Changes

Hi Guys,

This is my second bug bounty write up of how i managed to takeover a victims project using collaboration Invite.

A is running a online project management service and people can post comments,images,files etc of their work on a single project. The admin of the project can add users as collaborators of the project.

The request of the collaboration invite was like this..

POST /project_api/project_invitation HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 121
Connection: close


And when i saw the request i thought..What If I

So we have 3 Request Parameters:




I Changed the request to:

project_id= Victims Project ID

role=0 (0=Owner, 1=Editor)

emails= My Email

I forwarded the request and ..

Checked my inbox and there it was ..A Collaboration Invite to the victims project as a owner . I was able to edit, delete, add more users, remove the original owner of the project etc

And i was like

I immediately reported the bug and recieved a good 3 digit bounty :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store