RaxoCoding
commented
1 year ago Does this not prevent it ? : https://github.com/CTF-Cafe/CTF_Cafe_platform/blob/master/backEnd/controllers/teamController.js#L86
I should change to ObjectId(teamNameExists._id).equals for it to be a secure compare, but the check should still work, maybe not without the .equals
easy to fix, will do it soon
There is an improper access control on the API that leads any user to recover the secret code of any team.
The attacker just have to send a POST request to /api/user/getTeamCode with the team name and can join the team.
To fix, you have to verify that the user that is requested the code is a member of the requested team.