Hellow folks! I hope you’re well! In this writeup I’ll tell you how I become low privilege user to an Admin. So without further delay let’s get started.
I was hunting on private program of Bugcrowd. That company was providing Cloud Security, Network Security, etc. (Related to Cyber Security). I started doing recon and I tested 2–3 domains and I found nothing. I moved on another subdomain. That subdomain was type of ecommerce. We can purchase Softwares and so on. I was testing on sign in page functionality. There was validation while creating an account.
So I typed firstname.lastname@example.org and intercept request while click on submit button. I changed example.com to gmail.com and forwarded the request. And I logged In, there was no email verification too.
Then I started playing with Burp History. I got sub.redacted.com/api/users. I send it to repeater click on go and got 401 Unauthorized. I checked other requests and I got that Authorization header is missing.
I copied Authorization header with value(JWT). And I got All users and bug hunter’s information who is also testing same website even admins too. Now I can see their Name, Email, ID, Is admin or not(JSON format). Interesting…
I again login to website intercept request in check it’s response. In response admin param caught my attention. The param was like IsAdmin:false. I changed it to true and forward the request and turn off intercept. Now I’m admin. I tried finding another bugs which can perform by as admin. But there was nothing too test. No IDOR, XSS, CSRF, etc.
I tried to play with JWT. I decode it. There were some values like email, ID, and IsAdmin? As you know I got All user’s Information I picked first admin’s details and replaced with my values and create JWT. Now again I logged In with another email and intercept request and check response and I replaced my JWT which created and paste it and forward the request. It works! So, I can perform admin access response manipulation and JWT attack. That’s it. Keep hunting. Keep sharing !!