Access Control
Mail change with json body with roleID
send to Intruder, then add "roleid":§32§
into the JSON body of the request, and fuzz the possible roleid
Attacker identify the possible role ID of administrator role and then send this request with updated roleId to privilege escalate the current logged in user to the access role of administrator.
Dropdown role
Forward the
POST /login
request. The next request isGET /role-selector
. Drop this request and then browse to the lab's home page. Observe that your role has defaulted to theadministrator
role and you have access to the admin panel.
URL access control manipulation
X-Original-URL
This header essentially carries the original URL that was requested before any rewriting occurred.
Change the value of the
X-Original-URL
header to/admin
. Observe that you can now access the admin page.To delete
carlos
, add?username=carlos
to the real query string, and change theX-Original-URL
path to/admin/delete
Trace to Admin
Unable to reach
/admin
portal, but when changing the GET request toTRACE /admin
this response contain anX-Custom-IP-Authorization:
header. Use the identified header to by access control to the admin authentication.
Last updated