How I was able to escalate my privileges and Bypass 403 Forbidden

in the name of ALLAH

بسم الله الرحمن الرحيم

Hello guys today I’m gonna tell you how i escalated my privileges and Bypassed 403 Forbidden by response manipulation

So let’s start :

First i created two accounts Let them X and Y ,invited Y as X to my team and gave him the User manger role so He can’t access any settings only he can modify anything related to the users

So when Y enter the site the API send some request two of them identify the user and his role the other one the authorities of this user in the response so what if i Edited the response of these two request , modified the first one changed “USER_MANGER“ to “ADMIN”

Added in the second request the one of the Admin authorities that lead me to have access to the Advanced settings in the UI (can’t view this response as the report is still not disclosed )

But when i try to access the Advanced settings it gives me 403 Forbidden

So how i can bypass 403

What if i changed the status code , deleted the error and added the response of the Admin when he enters the Advanced Settings

So i changed 403 to 200 , Forbidden to Ok ,Deleted the error and Added the response of entering the Advanced Settings

these type of settings and the client secret was accessible despite it’s not accessible for the admin even in the UI

And it was triaged by the program team

hope you all learn something new from this write up

my social media links:

Linkedin:https://www.linkedin.com/in/momen-ahmed-a34038265/

X: https://x.com/hopeleesssteve?s=21&t=OtZMXIKJEwDMWqLOmkp-4Q