U.S. Dept Of Defense: Full Account Take-Over of ████████ Members via IDOR

Summary https://███████ is a Social Network Site belonging to US DoD. Membership is open to anyone, I have found a method to fully take-over any members' account by exploiting an IDOR bug in the ██████████ end-point. By changing the following values in the POST request to the affected end-point:...

U.S. Dept Of Defense: IDOR - Delete Users Saved Projects

Target Url https://█████/██████████/█████████=Targetid Summary: Hello, I found an IDOR bug in deleting users saved projects. Through changing the search id in the above url in a GET request, you can delete saved projects for any users. Step-by-step Reproduction Instructions 1. Navigate to your...

New Relic: [NR Insights] Pull any Insights/NRQL data from any NR account

@jonbottarini discovered an issue where a feature within a cloud integration wasn't properly validating account IDs. This report helped us identify a backend issue that could prevent account validation from taking place in certain situations. This was a fun one! The full writeup is for this bug i...

Harvest: Invoices can be added to any retainers - even closs-platform

Summary ------ Hey team, there is an IDOR bug, which allows me to add an invoice to any retainer I wish, even if the retainer belongs to another app/subdomain. Steps to reproduce --------- 1. Make sure you have two apps A and B 2. In A create a retainer, let's say it has id 1234. 3. In B open thi...