code

Privilege Escalation: Unauthenticated User to Admin

Written by Snir Aviv on

Privilege Escalation: Unauthenticated User to Admin

Written by Snir Aviv on


Introduction

During a penetration test conducted on a web application, a critical finding was discovered, allowing the creation of an administrator user account while being unauthenticated.
The application’s frontend interacts with the backend (API) which allows users to perform multiple actions in the system, such as authentication, fetching data, and more. The application has administration capabilities that should only be accessible to authorized accounts.

How we Found the Critical Finding

Step 1: Initial Reconnaissance

Clear Gate performed a web application penetration test on a system in a Blackbox approach (prior to the authentication). While reviewing the client-side source code, particularly the JavaScript Webpack bundles, we encountered a few different API endpoints. One of them seemed to perform a very interesting action:

API References Displayed in JavaScript Code

Step 2: Crafting the API Request

As a next step, we verified whether it is possible to send the request without any form of authentication. We did not know which parameters should be passed to the API endpoint so the request will be processed properly. Therefore, we continued reviewing the source code at the client-side and extracted potential parameters that might be useful for the tested endpoint.

Ultimately, it was possible to send the request using the following parameters and successfully create a user in the system:

  • firstName
  • email
  • userName
  • password
Unauthenticated User Admin
Creating User in the System while being Unauthenticated

Step 3: Putting All Together and Exploit

After creating the user, we decided to try leveraging the attack surface even more by controlling the created account’s privileges. We inserted the role parameter, which was also found in the client-side code review earlier, and started guessing its correct value for the administrative account. After several attempts, it was discovered that setting the value of 44 creates an account with full privileges. As a result, we could fetch any user’s private information, perform actions on behalf of users and access any API endpoint in the system:

Unauthenticated User Admin
Creating an Administrative Account with Full Permissions

Mitigation

Clear Gate advised performing a server-side validation across all API endpoints in the system to verify that actions that require authentication can only be processed if the request contains a valid authorization token with the required privileges.

References

Authorization Cheat Sheet – OWASP