Let’s do a peek inside the admin dashboard - Abuse API endpoint

There is broken access control in the API which helps an employee to become the admin of a workspace but with limited permissions.

Application introduction

It’s a productivity app that has over 2 million+ users and is used by business to track employee project time and expenses.

Key Features

There are many features, but these are some of the most important ones:

• User can join multiple workspaces
• User can create their own workspace
• The admin of a workspace can invite other user by email

How does the application work?

A user can join multiple workspaces from one account, but the user ID will be the same across all the workspace. So, the user create personal workspace and along with company’s workspace

The API uses the workspace ID to interact with the application.

This is what the request look a like:

This is how Workspace ID look a like:

While the test for role-based broken access control, uses multi-account containers where cookies are separated by container, allowing us to use the web with multiple accounts.

While the test for role-based broken access control, Use PwnFox to colorize the tab and burpsuite proxy history.

There are a few sections that are only visible to the admin. On the user side, we have limited functionalities. If we change the workspace ID directly, it will redirect me to its homepage. We use burp’s match and replace feature to replace the Workspace ID.

This is the final result when the user successfully matches and replaces the personal workspace ID with the company’s workspace ID.

Step to Reproduce

End Note

If you have enjoyed this article, Share this with your friends. Thank you! https://linktr.ee/bhavikkanejiya

References:

• Automating IDORs with Autorize - Common API Bugs Pt. 2 - IDORs & Access Control Issues by @Asseem_shrey
• PimpMyBurp #1 – PwnFox + Autorize
• Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater
• Two account takeover bugs worth $$$$