Privilege Escalation by Changing HTTP Response (Admin Access)
A story about how I got a bug from a marketplace in Indonesia.
Hello everyone, this was my first writeup for this community. I hope you enjoy it!
I discovered this vulnerability in April, the target was a marketplace in Indonesia. Let’s say the target is Redacted.com. The target has few websites and uses single sign-on (SSO) to login on their website. Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications or websites.
Now register to redacted.com and complete the registration, go to profile and intercept this request with burp suite to see the HTTP responses. I found “is_admin”:false parameter in the HTTP Response which caught my attention. Then I did subdomain enumeration with Sublist3r and found admin.redacted.com.
admin.redacted.com need a credential to log in, but realize the website use SSO to authenticate the users. So, go to admin.redacted.com and intercept this request, change “is_admin”:false parameter to “is_admin”:true. Booom I was a success login as admin. I able to edit (deleted, add) products, edit (deleted, add)banners, etc.
Why does this happen?
admin.redacted.com validates only on the frontend, the frontend takes the “is_admin” parameter to validates the user is admin or not, so the attacker can perform man in the middle attack (MITM), with changing the HTTP response to be “is_admin” = true.
Timeline of the Report
April 17, 2020 : Report Sent
April 21, 2020 : Triaged
May 8, 2020 : Bounty Rewarded (Rp 8.000.000)
From 3,99 to 1,650 USD (Part I) — Simple Vertical Privilege Escalation by Changing HTTP Response
A story about how I got several simple bugs (1 P2, 1 P3, and 2 P4s) on a target (that just allow Specific Country Code…