Editing a User to Add Sensitive Scopes to a JWT ($6000 USD)
Original Post:
We discussed this vulnerability during Episode 89 on 11 October 2021
Had a JWT, and noticed functionality to invite a user to a group and then change their privileges, these privileges were reflected in the JWT scopes. Though modification of this edit user request additional scopes that were not displayed could be added, such as the company:operations
and company:support
scopes. Which then generated a JWT able to access an internal employee only API. The same vulnerability also existed in assigning scopes to your own API keys.