Gaining Control: How Response Manipulation Leads to Higher Privileges (PoC)
Greetings, readers! I am Maulik Goti, a Security Analyst👨💻 and Cyber Security Researcher🕵🏻♀️.
First, we understand this Vulnerability……
DESCRIPTION:
This article explores how attackers gain more power in a system through a sneaky method — by tweaking responses. It shows how making small changes in data exchanges can give them big access rights. Using real-life examples, it explains how attackers use response tricks to get higher privileges. By breaking down these examples, this article helps readers understand how attackers exploit weaknesses and bypass security. It also emphasizes the importance of knowing about response manipulation as a way to gain more access. It encourages developers and security experts to strengthen their systems against these types of attacks. Overall, it gives readers a better understanding of response manipulation and its role in cyber threats.
IMPACT:
This vulnerability essentially allows someone to manipulate how a system responds to certain actions, which can result in them gaining higher privileges or access than they should have. In simpler terms, it’s like tricking the system into thinking you’re supposed to have more power or access than you actually do. This could lead to serious security breaches, as unauthorized individuals could exploit this loophole to gain control over sensitive information or systems.
I don’t think in the long narrative; instead, I make my point quickly.
Today I’m sharing a vulnerability that I found a while ago, which I believe is quite interesting.
but I’m not going to share the bug bounty program name & domain name ..etc, because I didn’t get permission to disclose it
Let’s proceed systematically to address the vulnerability…
Let’s assume, the target is Crowd.Example.com is a sub-domain of Example.com
When I started hunting on the program, I made two different privileged accounts and initiated reconnaissance on my target.
I found many functionality and then tried to find out many bugs, but unfortunately, I did not get any interesting points. Then, I stumbled upon an interesting functionality: “Change role.”
Okay, now I’ll walk you through it step by step using proof of concepts.
Step 1: Log in with valid credentials that have lower privileges. Observe that this user has only one access, namely ‘schema creator’, for the ‘select user role’ functionality.
Step 2: Upon navigating to the ‘schema creator’, choose or select the ‘Change role’ menu item.
Step 3: Capture the request and response in a web proxy tool like ‘Burp Suite’ and it was observed that one API has been hit in the back end.
Step 4: After intercepting the response, I manipulated the values of the ‘role’ parameter from the lower user to the higher user.
Step 5: In the browser I observed the changes have been reflected. Here, I select the user role as ‘Incentive_Reviwer’.
Step 6: After selecting the ‘Incentive_Reviewer’ user role, I attempt to access scheme payment details.
Impressively💪, I got the Scheme Payment Details.🤩
OWASP Category: A01:2021 — Broken Access Control
Vulnerability Severity: High
MITIGATION:
To reduce the risks of response manipulation and privilege escalation, it’s important to use different security methods:
1. Check and Clean Data: Make sure any data coming from outside sources is safe to use by checking it carefully.
2. Change Output: Before showing data to users, change it to a safe format to prevent attacks like cross-site scripting.
3. Limit Where Content Comes From: Use rules to control where content can come from on a web page. This stops unauthorized scripts from running.
4. Give Minimal Access: Only give users the access they need to do their job. This reduces the chance of an attack getting serious.
5. Regular Checks: Keep checking web applications for problems, both automatically and manually. This finds and fixes issues before attackers can use them.
By doing all these things, organizations can make it harder for attackers to manipulate responses and gain extra privileges. Regular checks, teaching about security, and being ready to respond quickly are all important parts of staying safe.
After I reported the bug, the company answered the following day and, a few days later, I was given the Bounty💰 for my submission.
THANKS FOR READING!
If you like it do not forget to Like it and Follow me for more articles.
Follow Me on Twitter & Join me on LinkedIn
I hope this will inspire you.
Happy Hacking~
