IDORs with unpredictable IDs are valid vulnerabilities in metersphere/metersphere
Mar 27th 2023
1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2
2 login as user1 and create project1.
4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid
5 we can find that project1 has a new proejct, even admin2 is not the admin of workspace2.
IDORs with unpredictable IDs are also valid vulnerabilities, see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html
we only use " add proejct" for example. You can do anything you want with other workspace.