handbook/tools/3.Web-Hacking/3.Business-Logic/Access-Control-Vulnerabilities/Notes/2.Vertical-Privilege-Escalation.md at 8c056cb3457e46049264dddda6d09ab63e9543c3

x/handbook

Fork 0

Anton Nesterov af9011411c

vault backup: 2024-08-31 01:07:21

2024-08-31 01:07:22 +02:00

1.1 KiB

Raw Blame History

Vertical Privilege Escalation

Non-administrative user gaining access to an admin page where they can delete accounts
Attacker might be able to access administrative functions via the URL https://insecure-website.com/admin
Admin URL might be more obscure but still leaked in JavaScript that constructs the user interface:

<script>
var isAdmin = false;
if (isAdmin) {
...
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('https://insecure-
website.com/administrator-panel-yb556');
adminPanelTag.innerText = 'Admin panel';
...
}
</script>

Parameter-based Access Control Methods- Storing access information in a user-controlled location (hidden field, cookie, query string, etc.) https://insecure-website.com/login/home.jsp?admin=true https://insecure-website.com/login/home.jsp?role=1

Platform Misconfiguration
- Restricting access at the platform layer by specific URLs and HTP methods:

DENY: POST, /admin/deleteUser,
managers

- Can override by editing the request header

POST / HTTP/1.1
X-Original-URL:
/admin/deleteUser

1.1 KiB Raw Blame History

Vertical Privilege Escalation

1.1 KiB

Raw Blame History