Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Any user could upload attachments to pentest scoping form they don't have access to

High
H
HackerOne
Submitted None

Team Summary

Official summary from HackerOne

The root cause of this issue appears to be insufficient access controls implemented in the attachment upload functionality for pentest scoping forms. The endpoint responsible for handling attachment uploads did not properly validate the user's access rights to the specific scoping form, allowing any authenticated user to upload files as long as they had the scoping form ID. According to the engineering team, the scoping form can be "accessed" by any signed in account, but they should not be able to access data/send mutations without authorization (the attachment controller logic is separate from the pentest opportunity's mutations). So a non-authorized signed in user would just see an empty scoping form that they cannot autosave/submit. As a result of this, a fix has been implemented to prevent attachment uploads for non-org members of the scoping form.

Actions:
View on HackerOne
Reported by hillybot_

Vulnerability Details

Technical details and impact analysis

Business Logic Errors
hello team in my recent testing i found that any users could upload attachments to any users pentest scoping form without having access to it as long as they have the scope id. note: before you start you will require two account to test for this bug. steps to reproduce: 1. create a sandbox 2. go to pentest an start an pentest form 3.copy the pentest form id from the url 4. log in to your second account 5. send the following request ================================================================================================================== POST /attachments HTTP/2 Host: hackerone.com Cookie: your cookies -----------------------------22121373215470710503552942440 Content-Disposition: form-data; name="tracer" 989953fa-5635-43c9-b584-48736d224b15 -----------------------------22121373215470710503552942440 Content-Disposition: form-data; name="context_type" PentestOpportunity -----------------------------22121373215470710503552942440 Content-Disposition: form-data; name="file"; filename="does not have a option to change his own permission.png" Content-Type: image/png ==================================================================================================================== 6.from your previous account reload the scoping form and go to review and submit . 7. you will notice that the file have been successfully uploaded. ## Impact business logic error could attach malicious files to anyones scoping form.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Business Logic Errors