How I found a Privilege Escalation Bug in a private Ecommerce?

Baibhav Anand
Jan 6 · 2 min read
Image source: https://www.netsparker.com/blog/web-security/privilege-escalation/

This article is based on how I found a Privilege Escalation Bug on an Ecommerce website which allowed me to get full administrator access to the shop.

Let’s assume this Ecommerce site is redacted.com. In redacted.com, an administrator had the authority to add other users as an Admin, or also assign other roles. This article will take you through how I found a privilege escalation bug in redacted.com and was able to get full administrator access to the shop.

First of all, I would like to start with a brief introduction to what a privilege escalation vulnerability is.

Privilege Escalation is a vulnerability where a normal user is able to get an elevated resource which is normally prevented from normal users.

In redacted.com, when the admin added a user in his shop with a non-admin permission, the request appeared as below:

POST /seller/submitEditUser.json HTTP/1.1

Host: vulnerable.vulnerable.com

Connection: close

Content-Length: 63

Accept: application/json, text/javascript

Origin: https://vulnerable.vulnerable.com

X-XSRF-TOKEN:

User-Agent:

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: XXXX

JSID=JSID value; CSRFT=335131365a3ee; JSESSIONID=value; isg=ISGVALUE

role=4&language=670&active=true&userName=xxxx &userId=1010799

Here, the ISG parameter disclosed which shop was on the website, the userID parameter disclosed which user to upgrade, and the role parameter disclosed what role should the user be assigned on the shop. Similarly, the JSID parameter checked if we are part of the shop or not.

I made 3 accounts on the website.

User A — who is the shop administrator.

UserB — who has a non-admin role in the shop.

UserC- Admin of a random shop. (A random account)

Now from user C, I sent the same request but changed the few parameters in the request. I changed the JSID parameter to that of USER B which informed the website that I was a part of that shop. I changed the user-role parameter to 1 which informed the website to upgrade my role to admin. I changed the ISG parameter to match the shop I was upgrading my privilege of. Lastly, I changed the userid parameter to that of User B and sent the request from account C.

Upon doing that User B’s role was upgraded to admin without any admin interaction. And, in this way, I was able to get full administrator access to the shop.

Thank you for reading till the end. If you have any questions DM on twitter at- @ibaibhavjha

Editor’s Note — We are publishing write-ups related to cyber security every week. We are looking to grow our community. If you are interested in writing about cyber security, please email at blog@nassec.io.

nassec

Writeups related to cybersecurity by Nassec contributors.

Baibhav Anand

Written by

I am a security researcher from Nepal and also the Founder and CEO of BaiTux ( A cyber security based educational start up)

nassec

nassec

Writeups related to cybersecurity by Nassec contributors.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade