Logic Data Validation

Check List

Methodology

Black Box

Accessing Reviews via Manipulated UUID

1

As the Workspace Owner Create a new project

2

Add User A as Member

3

Add User B as Reviewer

4

As User A (Member) Go to the Reviews section then Click Share Review and copy the generated link

5

Intercept and Manipulate the Request Intercept the request using Burp Suite / any proxy too and Send the request to Repeater

6

Modify the request body and change the UUID value to

 "uuid": "@evil.com"

7

Forward the request

8

The server responds with a malformed review URL like

"reviewURL": https://example.com/sketch/@evil.com

9

Login as Owner or Admin and Try to open the review normally

10

The page responds with

404 Not Found

11

The review becomes inaccessible to the Owner and Admin

---

White Box

Cheat Sheet