Hi team,

It is a premium feature for users to add notes to an asset they create.

However, I found a Business Logic vulnerability that allows users to use this feature even if they are not premium.

Steps

1- Go to redacted application and click the my assets button. https://redacted.com/MyAssets
2-Click on the add Assets button and create a new item, complete the whole process. During this process, you will not be able to add a note to the Additionnals Information (Notes) field.

3- When the asset creation process is completed, you will see a summary area like the one below. Since you’re not a premium user, you will not be able to intervene in this area.

4- Now go back to the My Assets area and open Burp Suite (Intercept), click on the arrow sign to edit the item you created.

5- You will see a request of the following type, view the response to the request and change the premium:false parameter to premium:true. Submit the request.

6- Go back to the page and click on the edit button, you will now be able to directly change the Additionnals informations field. Click on the save button and you will see that you have added notes permanently, even if it is a premium feature.

Adding notes to any asset is a premium feature, but we can bypass this via the premium: parameter in the body part of the request. The notes field will be added permanently.