Skip to content

writeup galxy dash

weekly challenge: 17/01/26 - 24/01/26

  • 🟡 difficulty: medium
  • xp earned: 50
  • 📂 categories: api
  • 🛠️ vulns: broken object property authorization

0x00: recon

  • to start our analysis, we can create our organization

    recon

  • there's so many features to see, and so many endpoints to analyze, so, i will make a jmp to the vulnerable feature: the team management

0x02: fuzzing

  • let's add a new member to our organization

    team

  • intercepting the request with burp, there's a json with some entries and the response contains the id of the new user and our organization id

    user

  • when we testing api's, the first things that i analyze is if it's possible modify user's (mine and others) properties that, in principle, it could'nt be writable. in this case, note that organization_id property isn't in the request body, so, it will be possible to edit and add a user to another team?

    maurizio sarri

  • we added a user to organization with id 3

0x03: show me the flag

  • when we log in with those credentials, we take the flag!

    the four horseman