Privilege Escalation by Changing HTTP Response (Admin Access)

A story about how I got a bug from a marketplace in Indonesia.

Figure 1 Privilege Escalation

Hello everyone, this was my first writeup for this community. I hope you enjoy it!

I discovered this vulnerability in April, the target was a marketplace in Indonesia. Let’s say the target is Redacted.com. The target has few websites and uses single sign-on (SSO) to login on their website. Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications or websites.

Now register to redacted.com and complete the registration, go to profile and intercept this request with burp suite to see the HTTP responses. I found “is_admin”:false parameter in the HTTP Response which caught my attention. Then I did subdomain enumeration with Sublist3r and found admin.redacted.com.

admin.redacted.com need a credential to log in, but realize the website use SSO to authenticate the users. So, go to admin.redacted.com and intercept this request, change “is_admin”:false parameter to “is_admin”:true. Booom I was a success login as admin. I able to edit (deleted, add) products, edit (deleted, add)banners, etc.

Figure 2 Flow of Execution

Why does this happen?

admin.redacted.com validates only on the frontend, the frontend takes the “is_admin” parameter to validates the user is admin or not, so the attacker can perform man in the middle attack (MITM), with changing the HTTP response to be “is_admin” = true.

Timeline of the Report

April 17, 2020 : Report Sent

April 21, 2020 : Triaged

May 8, 2020 : Bounty Rewarded (Rp 8.000.000)

References

https://portswigger.net/web-security/access-control

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store