Hey there!😁
Free Link 🎈
Press enter or click to view image in full size
You know that episode of Phineas and Ferb where they build a machine that lets them swap bodies and chaos ensues? Yeah, that was me last week, except instead of a sci-fi machine, I found some poorly validated API endpoints, and instead of swapping with my brother, I became every user in the system. Perry the Platypus would have been so disappointed in their security. 🦦
I was testing “MultiCorp,” a company that bragged about their “role-based access control” and “user isolation.” What they actually had was more “user suggestion control” and “user mild-separation.”
Act 1: The Accidental Discovery — “Hey, Where’d My Data Go?” 🤔
After my usual recon (I’ve started giving subfinder motivational speeches), I found MultiCorp's API. I had two test accounts: user_a (basic permissions) and user_b (slightly less basic permissions).