Skip to content

IDOR at /drafts/publish/

HackerOne report #429908 by lucky_sen on 2018-10-28:

Summary: I found IDOR vulnerability at the endpoint /drafts/publish which enable me to publish unauthorised drafts.

Description: There is a feature in discussion where we can save our review as draft and then publish it later. I notice that the ID parameter are not properly check before publish any draft review so i am able to publish any one draft review even there discussion are confidential and i don't have access on it .

Steps To Reproduce:

  1. Make 2 accounts A and B and create separate merge requests in both of them.
  2. Make a draft review in both merge requests by clicking Start a review. Note down B's draft id from the response.
  3. Go through A's account and publish a comment by clicking Add comment now.
  4. Intercept the request and change the Id parameter with B's draft id. (B's draft successfully published)

Supporting Material/References:

  • Screenshot_2018-10-28_15_13_21.png
  • Screenshot_2018-10-28_15_13_36.png
  • Screenshot_2018-10-28_15_13_49.png

Impact

Attacker are able to publish some one confidential draft with out any authentication.

Thanks!

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Dennis Appelt