Bypass Authentication Chaining with IDOR

BadChoice / handesk

A Powerful Laravel Help Desk and Lead Management App

https://github.com/BadChoice/handesk

MIT License

1.41k stars 392 forks source link

Bypass Authentication Chaining with IDOR #419

Open kcnewb1e opened 4 years ago

kcnewb1e commented 4 years ago

SUMMARY: i can read all info about the ticket, info include the ticket is name, email, number, username.

Injection Point: site.com/handesk/api/tickets/random_4_digits_number

Reproduce:

access that link
intercept with burp suite for edited request header
edited request header and added token: the-api-token
done u can bypass authentication for read that info

BadChoice commented 4 years ago

This is the default token, and every installation should change it so It only works on fresh installs

kcnewb1e commented 4 years ago

out thats not issue..

one more..

URL: site.com/handesk/api/tickets/xxxx/comments

change value on parameter new_status. 1 for processing

for new
for done

BadChoice commented 4 years ago

What happens when you do that?

kcnewb1e commented 4 years ago

Status notif will changed.. Without amdin permission

Pada tanggal Jum, 13 Mar 2020 00:53, Jordi Puigdellívol < notifications@github.com> menulis:

What happens when you do that?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/BadChoice/handesk/issues/419#issuecomment-598334787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM3DPAWGUXNMZRY32WN7ADLRHEORTANCNFSM4LGRUWTQ .

BadChoice commented 4 years ago

well, that's the idea of the api :D if you have the token, you can do it all