This article is based on how I found a Privilege Escalation Bug on an Ecommerce website which allowed me to get full administrator access to the shop.
Let’s assume this Ecommerce site is redacted.com. In redacted.com, an administrator had the authority to add other users as an Admin, or also assign other roles. This article will take you through how I found a privilege escalation bug in redacted.com and was able to get full administrator access to the shop.
First of all, I would like to start with a brief introduction to what a privilege escalation vulnerability is.
Privilege Escalation is a vulnerability where a normal user is able to get an elevated resource which is normally prevented from normal users.
In redacted.com, when the admin added a user in his shop with a non-admin permission, the request appeared as below:
POST /seller/submitEditUser.json HTTP/1.1
Accept-Encoding: gzip, deflate
JSID=JSID value; CSRFT=335131365a3ee; JSESSIONID=value; isg=ISGVALUE
Here, the ISG parameter disclosed which shop was on the website, the userID parameter disclosed which user to upgrade, and the role parameter disclosed what role should the user be assigned on the shop. Similarly, the JSID parameter checked if we are part of the shop or not.
I made 3 accounts on the website.
User A — who is the shop administrator.
UserB — who has a non-admin role in the shop.
UserC- Admin of a random shop. (A random account)
Now from user C, I sent the same request but changed the few parameters in the request. I changed the JSID parameter to that of USER B which informed the website that I was a part of that shop. I changed the user-role parameter to 1 which informed the website to upgrade my role to admin. I changed the ISG parameter to match the shop I was upgrading my privilege of. Lastly, I changed the userid parameter to that of User B and sent the request from account C.
Upon doing that User B’s role was upgraded to admin without any admin interaction. And, in this way, I was able to get full administrator access to the shop.
Thank you for reading till the end. If you have any questions DM on twitter at- @ibaibhavjha
Editor’s Note — We are publishing write-ups related to cyber security every week. We are looking to grow our community. If you are interested in writing about cyber security, please email at firstname.lastname@example.org.