3 Simple broken access control vulnerabilities you should hunt for, while logic vulnerabilities testing
#BugBounty
#bugbountytip
#bugbountytips
#Bugcrowd
👇👇
#BugBounty
#bugbountytip
#bugbountytips
#Bugcrowd
👇👇
If the website allows creating an organisation you have ex.
2 roles admin && admin
access the user's information endpoint with the admin 2 , save the request
With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII
2 roles admin && admin
access the user's information endpoint with the admin 2 , save the request
With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII
2:
Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
3:
If the site support creating a API Key and using it to authenticate and do actions
create a new API Key and delete your account and see if you still able to use the API Key If you can, so If this user banned or something else you will still can access your account
If the site support creating a API Key and using it to authenticate and do actions
create a new API Key and delete your account and see if you still able to use the API Key If you can, so If this user banned or something else you will still can access your account
The above vulnerabilities are simple, but I saw some people do not can test for
Have a great day with your coffee ♥️
Have a great day with your coffee ♥️
• • •
Missing some Tweet in this thread? You can try to
force a refresh
