A Project member who is not the owner of the project does not have delete option. But using proxy tool like Burp Suite, a low privilege Project member user can delete the Project, Where only the project owner has the privilege to delete the project.
Pre-Requisite: A project where current user is just a low privilege member
Steps: 1. Login to Invision 2. Navigate to My Projects page Observe that the project for which the current user is not owner, he does not have the delete option 3. ███████ 4. ████████ 5. ████████ 6. Forward the request to server
Result: The low privilege Project Member successfully deletes the Project for which only the project owner is privileged to delete the project.
Please Watch the PoC video for detailed steps and proof. PoC Video: ████████