Post

Broken Access control bug : Bypassing 403’s by finding another endpoint that do the same thing.

I found a really interesting bug in my private program and i want to share it through this writeup. Lets get started.

I was testing all the functionalities of this website and found this one interesting request when editing the residents

We can see in the response that there is an interesting parameter called moved in. I tried including it in the request and setting it to true hoping it would change the value of that parameter and it works

So now, we can move in/move out residents if we have an update permission. Normally, that wouldnt be a bug, but in this program, editing residents and moving in/moving out are on different permissions. I tried it again but this time, i remove the move in/move out permission

And it still works. It still allows me to move in/move out residents if we have update permission. Normally, moving in/moving out users is done in a different endpoint, if we tried it out, it will not work, because we have no permission to move in/move out as expected.

So this is a neat little bypass.

Thanks for reading.

Join the discord server: https://discord.gg/bugbounty

This post is licensed under CC BY 4.0 by the author.