Privilege Escalation Leads to making authenticated actions (payment processing, creating invoices.. etc)
Today, I’m going to show how unauthenticated users can make (payment processing, creating invoices.. etc)!
First of all, This was a public program, but the vulnerability is not fixed yet so I will refer to it with target.com.
This domain is sandbox but they said
We have ensured the sandbox has the same functionality needed for testing
When a user creates a new account he must wait for the acceptance period (2–3 days) during this period he should not be able to make authenticated actions e.g (payment processing, creating invoices.. etc) since he’s not accepted yet. however this case it’s not applied to the API keys acquired from commerce/account/apiKeys?
Proof Of Concept
When a user registers a new account on `target.com/commerce`, he waits a few days for approval or rejection. When this user tries to log in to their account, he redirects to
target.com/commerce/login/auth -> target.com/commerce/login/dashboard -> target.com/commerce/login/denied
I tried to log in again and stop at `target.com/commerce/login/dashboard` then I found the user can access his dashboard and can have the authorized to see his account, customer, payment, Settings … etc and he can’t make any action. it’s just view pages.
But if we see the requests sent in burp, we will find API key endpoint `commerce/apiKeys?appkey=false&source=Ecomerce` which is related to the user’s account
Although he cannot access the API without logging in (as it was not approved or rejected)
After getting API keys I went to their API documentation and see how I can [create, list, update, delete & find] The [payment, plan, invoices …. etc] all and all of these functions worked with me :”D this is the result
Bug Submitted in Apr 2021 and is not fixed until now :”D