Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneHillybot__H1:2323303
HistoryJan 17, 2024 - 12:00 p.m.

HackerOne: Program admins could add verified domains to an organization

2024-01-1712:00:37
hillybot__
hackerone.com
12
hackerone
organization
domain verification
privilege escalation
bug bounty
bypass

AI Score

7.2

Confidence

High

JSON

in hackerone according to the documentation https://docs.hackerone.com/en/articles/8490190-domain-verification only an organization admin could add verified domain .but there is an bypass.

steps to reproduce:

  1. create an sandbox
    2.remove org admin permission(you must add program admin permission before removing org admin)
  2. go to the url
    https://hackerone.com/<program you are admin of>/domain_ownerships/new
    4.from there you will be able to add verified domain in the org

Impact

access of restricted feature
privilage escalation

AI Score

7.2

Confidence

High

JSON