No Way Out: Enforced and Inescapable Organizational Membership

.بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد

Before we begin, I offer my prayers for my brothers in Palestine and Sudan, asking Allah to grant them unwavering strength and ultimate victory

Introduction

In this writeup, I will detail the discovery of a Logic vulnerability I found in a public Bug Bounty Program With my Friend abdallah osman. This article explores how to exploit thing in app logic to get a bug can be exploited via your thinking and understanding the application how work

Overview

Our significant finding was a vulnerability in [redacted]’s dashboard that allows an attacker to manipulate the invitation process. This exploit can block users from signing up with their email to create their own organization and force them into an existing organization they cannot leave.

Vulnerable Endpoint

The endpoint in question was responsible for handling invitations:

POST /dashboard/organization/invitation/ HTTP/2
Host: redacted.com
Cookie: <your_cookie>
Content-Length: 107
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: application/json, text/plain, */*
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: <https://dashboard.redacted.com>
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <https://dashboard.redacted.com/>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=4, i

{"email":"poc@gmail.com","role":"ADMIN","organization_uid":"xxxxxxxxxxxxxxxxxxxxx"}

By manipulating the invitation process, we could prevent users from creating their own organizations and trap them in an existing one.

Steps to Reproduce

1. Sign in to [redacted] Dashboard

• URL: https://dashboard.redacted.com/auth/signin?next=/
• Credentials: Use an account with Owner or Admin roles.

2. Navigate to Members Section and Invite User

• URL: https://dashboard.redacted.com/settings/members
• Action: Invite a new member (User-B) to join your organization.

3.Navigate to User-B’s Sandbox

• User-B will see the invitation.
• Attempt to sign up without accepting the invite, resulting in a message indicating the email already has an invitation and cannot create a new organization.

• Accept the invitation and sign up with admin credentials.
• Attempt to delete your own account, but note that it is not possible to remove yourself from the organization.

• Attempt to Create your own Organization > u can’t be in more than one organization

4. Capture and Manipulate Invite Request

• Tool: Use Burp Suite to capture the invitation request.
• Send the captured request to Burp Suite Intruder.
• Send multiple invitations to various emails, blocking users from signing up with them.
• No Limit in invitation users that lead to block lot’s of users

Impact

This vulnerability can be exploited to:

• Block Users from Creating Organizations: By sending invitations to users, attackers can prevent them from signing up and creating their own organizations.
• Trap Users in Organizations: Once users accept an invitation, they cannot leave the organization, effectively trapping them.
• Disrupt Normal Operations: This can lead to significant disruptions in how users interact with the platform, causing frustration and potential loss of user trust.

duplicate : وهنا كان لازم اتدخل

Thank you for reading !

My all links Here