# Description Delete any post for all users via IDOR # Proof of Concept 1- Post anything 2- Open Burp Suite to intercept the request 3- When deleting the post, we will notice that there is DELETE /a ...
Continue Reading
December 28, 2022
# Description Reset API any user without taking action from him via IDOR # Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5 ...
Continue Reading
December 28, 2022
# Description As the title, an attacker can delete other user's post via post id (can be bruteforce) Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=share ...
Continue Reading
December 28, 2022
# Description A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote # Proof of Concept # Link: https://drive.google.com ...
Continue Reading
December 28, 2022
An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a `PATCH` request to `/api/memo/` with the following request ...
Continue Reading
December 28, 2022
# Description Easily GET information of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$id_resource (method GET) Easily DELETE of all files uploaded by all ...
Continue Reading
December 28, 2022
# Description Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs. # Pr ...
Continue Reading
December 28, 2022
Password managers are in the news, and it's the holidays, so it's as good a time as ever to describe my password and secret management setup. It's very much not for everyone, but it's minimal, simple, ...
Continue Reading
December 28, 2022
Back to Main
