Privilege Escalation with simple recon

Today I want to share with you a Privilege Escalation chain with Blind XSS which I found in private site. In this write-up, I will explain how I found Privilege Escalation and methodologies.

Before starting the vulnerability exploitation part let me give you some information regarding the target application. I was invited to a private program, were one of the target website let’s say “ ” had a subdomain “” has the functionality of selling books, newsletters online. before starting actual testing on this subdomain I perform some recon on this subdomain like directory search, Nmap, Wayback, etc. during directory search I found interesting directory i.e cAdmin.asp with 301 status code. I open this directory “” and I will be redirected to log in page “”.I think I need admin credential to get access to this directory

after some time I open this URL( in my chrome browser with a normal user session and I got a forbidden message on my screen But after scrolling, I got four buttons on my screen admin.asp, addresses.asp,Cpanel.asp,store.asp.In this four-buttons only addresses.asp when I click on this button I successfully enter into an administrator menu

Image for post
Image for post
administrator menu

After getting this I can able to access only the address functionality of the go into “view addresses”

Image for post
Image for post
view addresses

I can able to update, remove any user's address. for testing purposes, I update the address of my other account with an XSS payload and when I log into my second account this XSS payload fired. reverse action also possible, from a normal user account add an address with XSS payload and go into the Administrator menu and XSS payload fired.

so we can able to steal the cookie of any user from the administrator menu with XSS and from a normal user account steal cookie of administrator with XSS.

Thanks to;

Bugcrowd team for allowing disclosure of this issue.

Hritik sharma for his writeup about privilege escalation


23rd Sept: Initial discovery.

24th Sept: triage by bugcrowd team

16th Oct: $xxxx bounty rewarded.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store