Some funny vulns in an undisclosed forum’s “teams” feature where users could create their own teams and request to join others as different roles. Users could request to join a team as any non-admin role, and a team admin could accept the request. The problem is, the requests were vulnerable to IDOR-type issues.

First bug: Sending Request to Join a Team as Admin The request to the team-join-post endpoint contains Team and TeamRole objects with subsequent ObjectIds for which team to join and which role they’re requesting respectively. A user can tamper with this request to swap the TeamRole object ID to that of the admin role. Submitting a request to join the team as an admin.

Second bug: Approving Team Joining Request on Behalf of Admin On the admin side, the team-join-response-post endpoint would be used to approve a request to join the team. The body of the request containing two object IDs, Team and TeamMember, and a boolean isApproved. There was no authorization checking on this endpoint however, the attacker, knowing the Team object ID and their own object ID for the TeamMember field could approve their own requests.