Galaxy Dash - Type Confusion

This was a lab where I really struggled with, mainly because I didn't understood the attack vector and never encountered a vulnerability like that. I'm not gonna pretend that I discovered the solution, so this is pretty much just a walkthrough.

We're presented with B2B application to ship stuff around the galaxy. We need to register our business.

On the endpoint where an admin can add different users, we see that when we add a user, the response holds a organization_id . In the screenshot, this is 4 and represents our organization.

So we could try and add this field to a new user, in the hopes that this user would be assigned to another organization. However, this does not work.

But the trick is here that JS isn't a statically-typed languages, meaning that you don't have to do something like int idNumber = 2 or String name = 'shadow' like you would in Java. JS figures this -usually- out on itself. So now instead of passing a integer, we pass it as a string.

Success! I actually made an admin for another organization!

Now all I need to do is log in as that user.

New organization, and a new flag 🇧🇪