39 lines
1.1 KiB
Markdown
39 lines
1.1 KiB
Markdown
|
|
||
|
|
## Vertical Privilege Escalation
|
||
|
|
|
||
|
|
- Non-administrative user gaining access to an admin page where they can delete accounts
|
||
|
|
- Attacker might be able to access administrative functions via the URL
|
||
|
|
https://insecure-website.com/admin
|
||
|
|
- Admin URL might be more obscure but still leaked in JavaScript that constructs the user interface:
|
||
|
|
```
|
||
|
|
<script>
|
||
|
|
var isAdmin = false;
|
||
|
|
if (isAdmin) {
|
||
|
|
...
|
||
|
|
var adminPanelTag = document.createElement('a');
|
||
|
|
adminPanelTag.setAttribute('https://insecure-
|
||
|
|
website.com/administrator-panel-yb556');
|
||
|
|
adminPanelTag.innerText = 'Admin panel';
|
||
|
|
...
|
||
|
|
}
|
||
|
|
</script>
|
||
|
|
```
|
||
|
|
|
||
|
|
Parameter-based Access Control Methods- Storing access information in a user-controlled location (hidden field, cookie, query string, etc.)
|
||
|
|
https://insecure-website.com/login/home.jsp?admin=true
|
||
|
|
https://insecure-website.com/login/home.jsp?role=1
|
||
|
|
|
||
|
|
- Platform Misconfiguration
|
||
|
|
- Restricting access at the platform layer by specific URLs and HTP methods:
|
||
|
|
```
|
||
|
|
DENY: POST, /admin/deleteUser,
|
||
|
|
managers
|
||
|
|
```
|
||
|
|
|
||
|
|
- Can override by editing the request header
|
||
|
|
```
|
||
|
|
POST / HTTP/1.1
|
||
|
|
X-Original-URL:
|
||
|
|
/admin/deleteUser
|
||
|
|
```
|