1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.
2 we login as user1 and create a new API keys
3 using the burpsuit to hack hijack the post.
4 The post and can be like:
{“type”:“API_KEY”,“target”:“API_KEY”,“organizationId”:1,“role”:“API_CONSUMER”,“description”:“test”}
5 we replace content as 1 as 2 and then send the request
6 we can find that the API keys was created in org2
7 delete, disable, QR code and edit can be the same process