Note: In this blog the website will be considered as target.com instead of the original website. The entire parameter name in the application will be written as “Param” and the values will be either in asterisk “*” or some gibberish hand typed. All the values are hand typed to prevent the client’s details.
In this blog I will discuss how I was able to bypass the validation for login of untrusted and the user which is not present in the database/application and ended up creating new user without the any maker checker rule or admin intervention, so let’s get started-
Basic Working of Application
Firstly let’s understand the working of the application, so the application has three roles maker, checker and admin user where maker will make certain changes and checker will check the data that maker have entered and he may accept, reject or ask him to cross check that is with new user or any changes that maker will make and for changes they have implemented a third party API which will fetch the data for that particular user and then maker can make the changes according to that.
Login Process in Application
The login is the user will enter his user id and click on get details, if the user is a legit user than the details of the user will be displayed in the below mentioned field and then the user can login into the application or the application will give an error message that the user is not valid user. So you need to be valid user to login into the application and do further process.
How do I Get to Know the Vulnerability Exists and Bypassed the Validation
1. Go to the proxy tab
2. In proxy tab go to options tab
3. We can see a section named Intercept Client Request there in the first row we can see the match type and condition before it which contains (^gif$|^jpg$|^png$|^css$|^js$|^ico$) so from here I removed |^js$ and saved it.
I copied the request and then I enter the user which is not supposed to get the login to the application and the user id I used was 123456 and then the application gives me an error message.
So now I reenter the user id 123456 and start capturing the request and at this time I tamper the get details request with the login request but no luck still the application gives an error message (sorry forget to take the screenshot of that). Again I did the same process but this time I not only tamper the entire request but I also dropped the validation.js file request also and to my surprise that worked and I was able to access the application and perform certain tasks (Task screenshot will not be shown due to NDA). To confirm that this is happening I tried with the same username and when I clicked on the get details button I saw that the user is created with the maker rights.
Request to be dropped
Note: If you use the admin request then the user that is created is with the admin rights.
How I Elevated the User and did Privilege Escalation
To elevate the privilege I logged in with the admin account and capture the request here I go to those pages that only admin can access and copied those request and while looking into the request the application is generating a token for the users and all the user have different tokens let’s say the name of the token is “Token_Name”, the token is shown in the screenshot shown below
Original Request of admin
With all that data gathered I login again with the user 123456 and clicked on reports tab and capture the request and in that request I changed the URL in the first place but failed as the application gives an error message, after that I perform the same process but at this time I changed the URL with “Token_Name” of user with the URL with “Token_Name” of admin and send the request and it got ahead and I got the admin account and in that account I did some task to show the client proof that the application is vulnerable to privilege escalation. I will not be able to show any screenshot sorry for that.
User request normal
Edited Request of user with admin data
If you like the post and found it useful please hit the clap or if there are any changes or suggestion for me to upgrade I am open for suggestions: email@example.com