Hell friends today i am posting my POC on Privilege Escalation Bug which i found in a website :) and it was my first Privilege Escalation bug thanks to my friend Hammad Shamsi for nice tips on it.
What is Privilege Escalation :-
A privilege escalation attack is a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications.
Not every system hack will initially provide an unauthorized user with full access to the targeted system. In those circumstances privilege escalation is required. There are two kinds of privilege escalation: vertical and horizontal.
Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code.
Horizontal privilege escalation requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation.
In the POC there was Horizontal Privilege Escalation so lets start :-
The site was a API development site and it is good to so i started digging in to it and in the developers place there were ready made APIsi opened on and there was a API Support Section and i started testing it and first i found Stored Cross Site Scripting :D nice and after that fired up burp and open and other Support issue which was there and the intercepted it .this is what the request looked like :-
https://www.site.com/api/middleware/accounts/[Value]/apis/[Value]/versions/[Value]/issues/[Value]
Now the Problem lies in the Issue Id value " /issues/[Value] " if an attacker deletes his own Issue listed there this Request is like this :-
Now what the attacker have to do is to change the Issue ID with the Issue ID of the victims and forward the Request and his support Ticket will be deleted
Thanks if you need any more info comment below and if it is confusing tell me so i can do some thing about it :)
0 comments:
Post a Comment