This demo project is an approximation of Facebook's "View As" vulnerability that affected 50 million accounts. It demonstrates an insecure identity pattern used in API impersonation scenarios
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

This is the source code of a demo that I prepared for the talk "Gaining lateral movement in cloud solutions by leveraging bad API impersonation designs", delivered at NULL Hyderabad security meetup. In a nutshell, this demo is an approximation of Facebook's View As vulnerability More details about this demo are on this blog post

Note: The demo was purposefully built with several identity-related design & implementation vulnerabilities, and basic webapp-related security controls were ignored. Please do not take it as an implementation reference for your production systems!