Description
There is a vulnerability at API Change password.
I use API PATCH /api/user/x to get user’s information and change their password. With x is the user’s id, which are numbers in ascending or descending order
Proof of Concept
2. Use the demohero user or you can create new users.
3. In this scenario, I use my new account (chuchu - id 104). Use Burp Suite (Or Postman) to call API change password and edit the body of request, field id from 104 to 101 (101 is demohero’s id), this is just an example and we can do the same to all user’s accounts there.
4. Send request and it is successful. Now you can see the user’s information and the password is also changed.
5. Try to re-login again to check it. It works.
#Link PoC: https://drive.google.com/file/d/1_Z6NH9-hFo-Q4nqqtjE6bZeOnv1yR9kH/view?usp=sharing