Privilege escalation on private program.

Hey Guys,

Hope everyone is doing fine, So today i am going to share another Privilege escalation issue which i came across few days before while hunting on one of the private programs on bugcrowd.

Non technical details about issue

The issue was simple, I was able to get access to one of the functionalities in the appilication which was meant to be for admin only. So i was able to perform several actions on admins behalf. So yeah... it was a kinda of Privilege escalation issue.

Technical details about issue

The website was using different “User Roles” like “users,Admins,Mangers” etc in the Application. One of the functionalities in the application was to add new “Subscribers” to our the (account) which was limited to to admin only.

And the endpoint to do that looks like 
http://website.com/add/subscribers?token=a3sd123as1d1as31sa21d

This endpoint was only visible to “admin” based role in the application. So my goal was to add new subscribers to my account without having admin “Privileges”

My approach

So i knew that admin can add new subscribers to our account using this endpoint. So simply browsing this endpoint [ http://website.com/add/subscriber ] from “Non-Admin” role gave a an blank html page.

http://website.com/add/subscribers

this means that the website was validating the token at the end of the url. So i need to get access to token anyhow to add new subscribers to the account.

So i cleaned my previous burp traffic and started browsing the application from the “non-admin” account. After few minutes i tried to copy the token from admin account and searched in burp traffic.

I was amazed to see that this token was getting leaked to non-admin users into the JavaScript tag.

So i copied the token and added it to the URL and my final URL will looked like:

http://website.com/add/subscribers?token=a3sd123as1d1as31sa21d

on browsing the url i was able to add new subscribers to the account without having the “admin privilages ”

So after checking the issue once again. I immediately submitted the vulnerability to the company.

So that’s it for now. All the best and Good bye.

Sharing is caring.