Privilege Escalation | stealing user’s point | Bugcrowd
Hi guys! This blog is about how I found privilege escalation on a web application.
It is an E-commerce website that allows users to buy stuff, earn points and convert them to coupon codes that can be used for future purchases. The scope consists of 2 URLs:
- The user management page: where a user can edit details, set preferences and convert points into coupon codes.
- Shopping page: Where a user can buy the listed items and use the coupon code generated earlier.
I start by exploring the application URL that are in-scope and how they are linked to each other in terms of the following:
- Sharing data
- User privileges
After exploring the application for a while, I found an API endpoint that was implemented differently from all the other APIs in the application. The APIs followed the basic cookie-based authentication for session management but this vulnerable API functioned differently because it did not required any authentication cookies.
It uses the Email ID and an external reference ID for performing an action, which is used to convert the user’s points to coupon code. The coupon can be used on the shopping page for availing discounts.
Now to create a valid attack scenario, I need an Email ID and the corresponding external reference ID. So I created a different account to check for the external ID’s entropy. It was a random alphanumeric string after the first 6 digits so I had to brute-force the T-6 digits( where T is the total length of the string from the start). The endpoint was missing a rate-limit check so that gave me hope.
Now to perform the attack I brute-forced a list of Email IDs and randomly generated external IDs using intruder and it worked. The other way of getting the external ID is via the forgot password link( if any user has used the forgot password URL for resetting the password, the external ID is appended in the token for that URL and it is saved in the browser history). By this method, I can use the points of any user in the application and buy products.
This issue was triaged P3.
About me: Abhind