Accessing Restricted Documents With Extra JSON Body Content

The issue I’m going to share with you guys is few months old but recently I have found same issue on the program while I was re-checking my fixed issues. The program is private on Bugcrowd I’m not going to share such information that discloses the program. The program allows user’s to send,edit and manage documents easily within a team.

I have used two accounts here one is Admin and other is normal account.

I have created a document from Admin account and was trying to access the document from normal account without giving the access to the document.But sadly every api endpoint was giving me 403 error.

From the normal account while editing own account document I have noticed that the request had documentId in the json body.

While creating a blank document I thought to add the Admin documentId in the json request body

Here is the normal request :

POST /api/accounts/envelope/ HTTP/1.1

Host: redacted.com

{“enableResponsiveChoice”:false,”emailBlurb”:null,”emailSubject”:null,”autoNavigation”:false,”status”:”created”,”notification”:{“useAccountDefaults”:true}}

Notice that the request don’t have documentId

After adding the documentId in the request :

POST /api/accounts/envelope/ HTTP/1.1

Host: redacted.com

{“enableResponsiveChoice”:false,”emailBlurb”:null,”emailSubject”:null,”autoNavigation”:false,”status”:”created”,”notification”:{“useAccountDefaults”:true},”documentId”:”documentIdofAdmin”}

After making the request a new document is created with Admin document information.

Sadly this was only exploitable between own team members.

Later I have discovered several issue by using the same technique.

***

Hope you enjoyed reading.