alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~185~~	Closed	~~IDOR Leading to Disclosure of All Organization Database~~ ...	ranj3et	Task Description Hi Team, Description: I have found that there is a feature to create a duplicate of a database, and during that process, there is an option to choose a recipient. This endpoint lacks proper access control. If an attacker inputs the recipient ID of another organization's database user, it discloses their name. Additionally, the recipient ID is sequential, numerical, and easily enumerable — making it guessable. Steps to Reproduce: 1. Log in to Organization A and attempt to create a duplicate of a database. Choose recipient and from this endpoint : <code> https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@ </code> and copy the `field_account` parameter. 2. Now, log in to Organization B. Try to create a duplicate database, and when choosing the recipient, capture request using burp suite and from this endpoint https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@ replace the `field_account` parameter with the one copied from Organization A. You will see that the user details of Organization A are disclosed. POC Video: https://drive.google.com/file/d/1u2qZ7wC8nNquBNFJ4kwWoU-oZsXzI-go/view?usp=sharing Regards, Ranjet
	~~184~~	Closed	~~CSRF~~	ranj3et	Task Description Hello Team, Vulnerability: CSRF to Change DKIM Key Pair of Victim Description: I have found that the DKIM key pair regeneration feature lacks proper csrf protection. As a result, if a victim visits an attacker-controlled site, the attacker can regenerate a new DKIM key pair for the victim's domain. This will effectively change the victim’s existing DKIM key. Steps to Reproduce: NOTE: After adding a domain, the domain ID is assigned in a predictable numeric sequence. I am assuming that the attacker knows the victim's domain ID. 1. Log into your account and save the following code as `1.html`. Replace the domain ID in the script with the victim's domain ID and open the file in your browser. <html> <body> <form action="https://admin.alwaysdata.com/domain/117551/dkim/generate/"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> 2. You will notice that a new DKIM key pair has been generated for the victim’s domain without their consent. POC Video: https://drive.google.com/file/d/1LXBYjEXpdIr79f1flq14fSiP3HdETRe-/view?usp=sharing Regards, Ranjeet

~~185~~

Closed

~~IDOR Leading to Disclosure of All Organization Database~~ ...

Task Description

Hi Team,

Description:
I have found that there is a feature to create a duplicate of a database, and during that process, there is an option to choose a recipient. This endpoint lacks proper access control. If an attacker inputs the recipient ID of another organization's database user, it discloses their name.

Additionally, the recipient ID is sequential, numerical, and easily enumerable — making it guessable.

Steps to Reproduce:
1. Log in to Organization A and attempt to create a duplicate of a database. Choose recipient and from this endpoint :

<code> https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@ </code>
 and copy the `field_account` parameter.

2. Now, log in to Organization B. Try to create a duplicate database, and when choosing the recipient, capture request using burp suite and from this endpoint

 https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@

replace the `field_account` parameter with the one copied from Organization A.

You will see that the user details of Organization A are disclosed.

POC Video:
https://drive.google.com/file/d/1u2qZ7wC8nNquBNFJ4kwWoU-oZsXzI-go/view?usp=sharing

Regards,
Ranjet

~~184~~

Closed

~~CSRF~~

ranj3et

Task Description

Hello Team, Vulnerability: CSRF to Change DKIM Key Pair of Victim

Description: I have found that the DKIM key pair regeneration feature lacks proper csrf protection. As a result, if a victim visits an attacker-controlled site, the attacker can regenerate a new DKIM key pair for the victim's domain. This will effectively change the victim’s existing DKIM key.
Steps to Reproduce: NOTE: After adding a domain, the domain ID is assigned in a predictable numeric sequence. I am assuming that the attacker knows the victim's domain ID.

1. Log into your account and save the following code as `1.html`. Replace the domain ID in the script with the victim's domain ID and open the file in your browser.

<html>
  <body>
    <form action="https://admin.alwaysdata.com/domain/117551/dkim/generate/">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

2. You will notice that a new DKIM key pair has been generated for the victim’s domain without their consent.

POC Video:
https://drive.google.com/file/d/1LXBYjEXpdIr79f1flq14fSiP3HdETRe-/view?usp=sharing

Regards,
Ranjeet

Showing tasks 1 - 2 of 2 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing