Real-world Critical Vulnerabilities: CSRF + Mass-Assignment = Privilege Escalation to Admin 🥷

𝐄𝐧𝐮𝐦𝐞𝐫𝐚𝐭𝐢𝐨𝐧

During a pentest a while ago, I saw that the 'GET /user' endpoint returned a JSON with user information and a ton of permission flags (all booleans), most notably 'isAdmin'.

The app also had a 'POST /user' endpoint, which allowed editing our current user.

𝐈𝐝𝐞𝐧𝐭𝐢𝐟𝐲𝐢𝐧𝐠 𝐌𝐢𝐬𝐜𝐨𝐧𝐟𝐢𝐠𝐮𝐫𝐚𝐭𝐢𝐨𝐧𝐬

Naturally, I tried updating my user and setting the 'isAdmin' flag to 'true' but that didn't work.

Interestingly, the app didn't have any CSRF tokens, and the cookie was set to 'SameSite=none', meaning the developers relied on the app using JSON to mitigate CSRF. Fortunately, the app also accepted URL-encoded POST requests, which means that we have successfully identified a CSRF vulnerability!

𝐄𝐬𝐜𝐚𝐥𝐚𝐭𝐢𝐧𝐠 𝐂𝐒𝐑𝐅

Now, a CSRF vulnerability is nice, but it would be of Medium severity. So the next thing we have to do is escalate it.

For this, I went back to the 'POST /user' endpoint and realized that it was vulnerable to Mass Assignment, meaning an admin user can set the 'isAdmin' flag for any user (it's hard to say if this was intended or not).

𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧

This means that we can create an HTML snippet like the one I attached to this post, and host this on dub-flow[.]com. Then, lure an admin user of the app onto this page. Once they open the page, a POST request is sent to the app that makes my user an admin.