Skip to main content
HashnodeCyber SeklerCyber Sekler

Command Palette

Search for a command to run...

Broken Access Control Leading to Privilege Escalation

Updated
2 min read
Broken Access Control Leading to Privilege Escalation
C
Cyber Sekler

Overview

During a web application penetration test, I identified a broken access control issue that allowed a low-privileged user to escalate their privileges to administrator. The issue was easy to identify and had a high impact, as it allowed full control over user roles. This matters because access control failures like this can collapse trust boundaries with very little effort.

Objective

The objective of the engagement was to assess the access control mechanisms within a web application. Testing was performed in a grey-box context, with credential pairs provided for both a low-privileged user account and an administrator account.

Discovery

To identify access control weaknesses, I logged into the application using both the low-privileged user account and the administrator account. I then compared available functionality between the two roles to understand which features were intended to be restricted to administrators.

Using Burp Suite with the Autorize extension enabled, I browsed the application as the administrator while replaying requests using the low-privileged user’s session cookies. During this process, I paid close attention to response behaviour, particularly response content length.

Several admin-only endpoints returned responses with identical content lengths when accessed using low-privileged credentials. This was a strong indicator that access control checks were either missing or incorrectly enforced. I noted these endpoints for further testing.

After identifying the endpoints that behaved similarly for both roles, I manually replayed the admin-specific requests using the low-privileged user account. The application did not prevent access to these endpoints and returned valid responses.

One of the affected endpoints controlled user role management functionality. By accessing this endpoint as a low-privileged user, I was able to modify user privilege levels. This allowed me to grant administrative privileges to my own account as well as to other registered users.

Although tooling such as Autorize helped surface the issue quickly, the underlying problem was a lack of server-side access control enforcement. The application trusted the request regardless of the authenticated user’s role, enabling privilege escalation.

Takeaway

Access control must always be enforced server-side and validated per request. Relying on client-side restrictions or assumed user roles can lead to simple but severe privilege escalation vulnerabilities.

#owasp-top-10#hacking#pentesting#penetration-testing#cybersecurity-1

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

Cyber Sekler

7 posts