IDOR Leads To Project Takeover

It's all about Changes

Hi Guys,

This is my second bug bounty write up of how i managed to takeover a victims project using collaboration Invite.

A is running a online project management service and people can post comments,images,files etc of their work on a single project. The admin of the project can add users as collaborators of the project.

The request of the collaboration invite was like this..

POST /project_api/project_invitation HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 121
Connection: close

And when i saw the request i thought..What If I

So we have 3 Request Parameters:


I Changed the request to:

project_id= Victims Project ID
role=0 (0=Owner, 1=Editor)
emails= My Email

I forwarded the request and ..

Checked my inbox and there it was ..A Collaboration Invite to the victims project as a owner . I was able to edit, delete, add more users, remove the original owner of the project etc

And i was like

I immediately reported the bug and recieved a good 3 digit bounty :)