#6. Bug Bounty Series: Vertical Privilege Escalation via Session Storage
Helloš and welcome, fellow cyber explorers!. Today, Iām excited to share my another write-up on vertical privilege escalation where I escalated the Low User privilege to Super Admin.
Description:
Vertical Privilege Escalation refers to the process of gaining higher privileges than the user currently has. For example, a low-level employee may exploit a vulnerability in the system to gain administrative privileges, thus obtaining the ability to perform actions with a much higher level of authority.
Impacts of Vertical Privilege Escalation:
- Gaining access to other connected systems
- Gaining access to applications or data on a system beyond the privileges of the original compromised account, manipulating the data.
Now letās get to the main pointā¦.
I was testing a web application which has four different roles ā Employee, Manager, Admin and Super Admin ā assuming the domain as example.com as I'm not allowed to reveal the domain name. Initially I tried to look at the userās activity to see how they are recognized as an employee and administrator role, but there was no any interesting points.
I used a Employee user account to log in and tested the web applicationās features. Employee could not edit data within the portal and had restricted access to features and resources. Alright, Iāll take you step-by-step through it using concepts as proofā¦
Steps to Reproduce:
- After all the checks, I started surfing the application and checked the Storage mechanism under Developerās tool.
- Expanded the Session Storage and Local storage, where I saw a parameter UserAdminRoles for which the value was blank in Session Storage.
3. So, I quickly login to Admin user account and checked the values under UserAdminRoles. The admin user has the IsAdmin as a value.
4. Then I tried adding the same to the employees UserAdminRoles parameter value as IsAdmin and I got the Admin tab with few functionalities.
5. I then added the below values for UserAdminRoles parameter.
IsSuperAdmin, IsAdmin, IsManager
6. After refreshing the page, Boom šāØthe Employee gained SuperAdmin privileges without much effort. Now employee was able to access admin panel and he was able to delete, view the logs of different users and modify the values in the application.
Finally, I reported the vulnerabilityā.
We usually overlook session and local storage. I strongly advise to always check these storage mechanisms, as they may contain sensitive information such as a JWT token, an email/password, and personally identifiable information (PII).
So, thatās it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.
If you found it useful, please click the button šand share it with others who have similar interests! + Feedback is always appreciated!!š
