# Description User can view any content from private private memos from other users via api ``` PATCH /api/memo/8 HTTP/1.1 {"id":8,"rowStatus":"ARCHIVED"} ``` # Proof of Concept Login to website in b ...
Continue Reading
December 28, 2022
# Description User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api ``` PATCH /api/memo/8 HTTP/1.1 {"id":8,"rowStatus":"ARCHIVED"} ``` ``` PATCH /api/s ...
Continue Reading
December 28, 2022
# Description Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks explo ...
Continue Reading
December 28, 2022
# Description Delete any post for all users via IDOR # Proof of Concept 1- Post anything 2- Open Burp Suite to intercept the request 3- When deleting the post, we will notice that there is DELETE /a ...
Continue Reading
December 28, 2022
# Description Reset API any user without taking action from him via IDOR # Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5 ...
Continue Reading
December 28, 2022
# Description As the title, an attacker can delete other user's post via post id (can be bruteforce) Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=share ...
Continue Reading
December 28, 2022
# Description A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote # Proof of Concept # Link: https://drive.google.com ...
Continue Reading
December 28, 2022
An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a `PATCH` request to `/api/memo/` with the following request ...
Continue Reading
December 28, 2022
Back to Main
