Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrLujiefsi649BADC8-C935-4A84-8AA8-D3269AC54377
HistoryMar 22, 2023 - 7:33 a.m.

IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization

2023-03-2207:33:51
lujiefsi
www.huntr.dev
16
idor vulnerability
organization manipulation
api key hijacking
burpsuite
security breach
bug bounty

EPSS

0.001

Percentile

44.3%

JSON

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.

2 we login as user1 and create a new API keys

3 using the burpsuit to hack hijack the post.

4 The post and can be like:

{“type”:“API_KEY”,“target”:“API_KEY”,“organizationId”:1,“role”:“API_CONSUMER”,“description”:“test”}

5 we replace content as 1 as 2 and then send the request

6 we can find that the API keys was created in org2

7 delete, disable, QR code and edit can be the same process

Related

osv 1
cvelist 1
prion 1
cve 1
nvd 1
osv
osv
CVE-2023-2260
2023-04-24 21:15:09
cvelist
cvelist
CVE-2023-2260 Authorization Bypass Through User-Controlled Key in alfio-event/alf.io
2023-04-24 00:00:00
prion
prion
Authorization
2023-04-24 21:15:00
cve
cve
CVE-2023-2260
2023-04-24 21:15:09
nvd
nvd
CVE-2023-2260
2023-04-24 21:15:09

EPSS

0.001

Percentile

44.3%

JSON
Related for 649BADC8-C935-4A84-8AA8-D3269AC54377
osv1cvelist1prion1cve1nvd1