Access Control

Mail change with json body with roleID

send to Intruder, then add "roleid":§32§ into the JSON body of the request, and fuzz the possible roleid

POST /my-account/change-email HTTP/1.1
Host: TARGET.net

{
 "csrf":"u4e8f4kc84md743ka04lfos84",
 "email":"carlos@server.net",
 "roleid": 42
}

Attacker identify the possible role ID of administrator role and then send this request with updated roleId to privilege escalate the current logged in user to the access role of administrator.

Forward the POST /login request. The next request is GET /role-selector. Drop this request and then browse to the lab's home page. Observe that your role has defaulted to the administrator role and you have access to the admin panel.

URL access control manipulation

X-Original-URL

This header essentially carries the original URL that was requested before any rewriting occurred.

Change the value of the X-Original-URL header to /admin. Observe that you can now access the admin page.
To delete carlos, add ?username=carlos to the real query string, and change the X-Original-URL path to /admin/delete

Trace to Admin

Unable to reach /admin portal, but when changing the GET request to TRACE /admin this response contain an X-Custom-IP-Authorization: header. Use the identified header to by access control to the admin authentication.

GET /admin HTTP/2
Host: TARGET.net
X-Custom-Ip-Authorization: 127.0.0.1
Cookie: session=2ybmTxFLPlisA6GZvcw22Mvc29jYVuJm

PreviousAPI Testing - TODO NextCORS

Last updated 1 year ago

hashtagMail change with json body with roleID

hashtagDropdown role

hashtagURL access control manipulation

hashtagTrace to Admin

Mail change with json body with roleID

Dropdown role

URL access control manipulation

Trace to Admin