This vulnerability is categorized on OWASP top 10 (2021)
How you can check if the application has provided proper access control to each user?
Functionality-
Being a superuser this application was allowing me to add trust worthy team members (as an application supports such functionality are obviously to cross verify if any malicious action cannot be performed by user with lower privilege )
Observation-
During my assessment, I observed that the application has the functionality to add team members to the account. Invited members can be given access to different available functionality in the application like billing and superuser.
I have noticed that an invited user with restricted permission to only billings can’t delete API key’s created in the main account since his/her access to restricted to perform billing action only.
But using this vulnerability a billing user account can escalate his/her privileges to delete API keys created in the main account.
Impact:
This vulnerability allows an attacker to delete API keys from the parent account.
Let’s see via POCs-
Mr dataa is superuser who have created token which says by name you_can’t_delete_this!