Privilege escalation on private program.

Imran Parray
Mar 14, 2019 · 3 min read

Hey Guys,

Hope everyone is doing fine, So today i am going to share another Privilege escalation issue which i came across few days before while hunting on one of the private programs on bugcrowd.

Non technical details about issue

The issue was simple, I was able to get access to one of the functionalities in the appilication which was meant to be for admin only. So i was able to perform several actions on admins behalf. So yeah... it was a kinda of Privilege escalation issue.

Technical details about issue

The website was using different “User Roles” like “users,Admins,Mangers” etc in the Application. One of the functionalities in the application was to add new “Subscribers” to our the (account) which was limited to to admin only.

And the endpoint to do that looks like
http://website.com/add/subscribers?token=a3sd123as1d1as31sa21d

This endpoint was only visible to “admin” based role in the application. So my goal was to add new subscribers to my account without having admin “Privileges”

My approach

So i knew that admin can add new subscribers to our account using this endpoint. So simply browsing this endpoint [ http://website.com/add/subscriber ] from “Non-Admin” role gave a an blank html page.

http://website.com/add/subscribers

this means that the website was validating the token at the end of the url. So i need to get access to token anyhow to add new subscribers to the account.

So i cleaned my previous burp traffic and started browsing the application from the “non-admin” account. After few minutes i tried to copy the token from admin account and searched in burp traffic.

I was amazed to see that this token was getting leaked to non-admin users into the JavaScript tag.

So i copied the token and added it to the URL and my final URL will looked like:

http://website.com/add/subscribers?token=a3sd123as1d1as31sa21d

on browsing the url i was able to add new subscribers to the account without having the “admin privilages ”

So after checking the issue once again. I immediately submitted the vulnerability to the company.

So that’s it for now. All the best and Good bye.

Sharing is caring.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store