Business Logic error lead to race condition in erudika/para

Valid

Reported on

May 18th 2022


Description

I have found Business logic Bug in para application free User can create more than 1 app even after App limit reached

Proof of Concept

1 - Go to https://paraio.com/apps

2 - Create a new app

3- Enter the name of app

4- Intercept the request in burp suite and send into intruder and select payload as number and select number

5- Start Attack

Video Poc -: https://drive.google.com/file/d/1xyUY-QK0y_XIPKjfkh-nib6HsTVELP9R/view?usp=sharing

Screenshot of POC :- https://drive.google.com/file/d/1Mqr9WNqWWwcPBN8xqxITYwvV8wXhoLbx/view?usp=sharing

Impact

Business Impact

Free User can create more than 1 so he don't have to pay money for this services so this is very dangerous for your business

We are processing your report and will contact the erudika/para team within 24 hours. a month ago
We have contacted a member of the erudika/para team and are waiting to hear back a month ago
We have sent a follow up to the erudika/para team. We will try again in 7 days. a month ago
Alex Bogdanovski validated this vulnerability a month ago
Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski confirmed that a fix has been merged on fa677c a month ago
Alex Bogdanovski has been awarded the fix bounty
Vishal
a month ago

Researcher


@admin can you please assigned as cve

Jamie Slome
a month ago

Admin


Sorted 👍 Anything else I can support with?

to join this conversation