1 Program, 4 Business Logic Bugs and Cashing in 2300$. ($2300)

We discussed this vulnerability during Episode 237 on 28 January 2024

Four issues, two are race conditions, two are due to lack of authorization checks on the API and only enforced on the front-end.

  1. Ability to invite more users beyond the team limit. -This is kinda a race condition but a pretty long window for one. On this unnamed application the Team plan allowed inviting up to three team members. The problem was that this limit was only checked by looking at the current number of team members at the time the invite is sent and there is no apparent limit on the number of invites that can be sent. So as long as the invites are sent before a third member joins the team they will still be able to join the team.
  2. Client-Side Auth - I’m going to merge the second and fourth issues into just one here because to me they have the same sort of root cause. Even though an account may not be authorized to perform an action just as a user with no plan inviting members to their team or lower-privileged members of a team viewing higher-privileged data. Both could be accomplished through making direct requests to the API instead of using the frontend application.
  3. Limit Bypass Race Condition- This one is a bit tighter though and has to do with creating “browser profiles” in the application. This is just a class limit-bypass race. There is a limit on the solo plan of 300 browser profiles, sending many requests at the same time can result in more profiles than should have been allowed being added.