ProjectID is disclosed and can be used for IDOR attack

I find that we click “Settings” button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack.

1 create two projects: project1 and project2, and their admin is admin1 and admin2

2 login as admin2 and click “Setting”, use burpsuit hijack the request and we can obtain the projectid of project1 and project2.

3 go to “proejct settings” and click member, and add a member.

4 Using burpsuit to hijack the reqeust, repalce project2’s projectid as project1’s projectid

5 we can find that project1 has a new member, even admin2 is not the admin of project1.

UUID format of proejctid can precent IDOR effectively. But we disclose it to end users !