handesk icon indicating copy to clipboard operation
handesk copied to clipboard

Published 20 hours ago verified publisher icon BadChoice

Bypass Authentication Chaining with IDOR

Open kcnewb1e opened this issue 5 years ago • 5 comments
trafficstars

SUMMARY: i can read all info about the ticket, info include the ticket is name, email, number, username.

Injection Point: site.com/handesk/api/tickets/random_4_digits_number

Reproduce:

  1. access that link
  2. intercept with burp suite for edited request header
  3. edited request header and added token: the-api-token
  4. done u can bypass authentication for read that info

kcnewb1e avatar Mar 12 '20 17:03 kcnewb1e

This is the default token, and every installation should change it so It only works on fresh installs

BadChoice avatar Mar 12 '20 17:03 BadChoice

out thats not issue..

one more..

URL: site.com/handesk/api/tickets/xxxx/comments

change value on parameter new_status. 1 for processing 2. for new 4. for done

kcnewb1e avatar Mar 12 '20 17:03 kcnewb1e

What happens when you do that?

BadChoice avatar Mar 12 '20 17:03 BadChoice

Status notif will changed.. Without amdin permission

Pada tanggal Jum, 13 Mar 2020 00:53, Jordi Puigdellívol < [email protected]> menulis:

What happens when you do that?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/BadChoice/handesk/issues/419#issuecomment-598334787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM3DPAWGUXNMZRY32WN7ADLRHEORTANCNFSM4LGRUWTQ .

kcnewb1e avatar Mar 12 '20 17:03 kcnewb1e

well, that's the idea of the api :D if you have the token, you can do it all

BadChoice avatar Mar 12 '20 18:03 BadChoice