image dsbw
Request Assessment

Broken Access Control lead to Full access to all Company Customers,users,infrastructure,employees ...



Published il y a 3 mois

image de Broken Access Control lead to Full access to all Company Customers,users,infrastructure,employees ...

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Broken Access Control lead to Full access to all Company Customers,users ,infrastructure ,contacts,employees sensitive information names emails phones even password in some cases for admins and servers and QueryBuilder wich can used to export sensitive data
all thats started whene i was doing recon for *.company.eu, and i got a file in a documentation file refer to sharepoint host thats for Company storage, i try to access it with my credentiels than it access
companycloud.sharepoint.com
than i start searching for any information i could use it for get access to other services than i find all this resources thats its all sensitive informations

1/ the companycloud.sharepoint.com has a lotsof important and sensitive sites inside it

AdminFiles
PrivateFiles

lets start with the query builder you could search for query builder and click on it and you will have access to the form interface thats you could build a query
chose a list (in this case we have more than 20 list)
i chosed the (User Information List) and add coulmn you want to see i chosed just for POC

Name
Email
UserName
WorkPhone

and i get all users in the database (More than 7000 user) you can access to the XML result from here
https://companycloud.sharepoint.com/sites/*******/items?$select=Name%2CEMail%2CUserName%2CWorkPhone&$top=10000

thats hust POC you can use any of the other 20 list other than (User Information List) and any of the columns

the sharepoint has a lot of sensitive information about internal employees and infrastructure and backups and customers and users
in this repport i give you just a POC of how sensitive is thats, but if a hacker have access to this sort of information be sure thats will retuen in a catastrophic impact on all the company.
https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
IDOR Get any Customer all invoices

1/ create new company and login 2/ go to services-api.company.com/customers/{UUID}/invoices?invoiced=false 3/ change UUI...

Read More →
Blog Image
get personal information of workers

1/ go to this endpoint https://company.com/search?p_p_lifecycle=0&saveLastPath=true&q=cv&type=com.liferay.document.libra...

Read More →
Blog Image
Extract all users emails end with( @company.com ) with names in DB of Company users

i found a method to get all emails with @company.com in company admin db the method is in 2 steps after login as admin 1...

Read More →