Privilege Escalation through ID Reflection

As technology continues to advance, companies are becoming increasingly reliant on digital systems to store and manage their data. This has created new opportunities for security researchers to find vulnerabilities and earn rewards through bug bounty programs. In this write-up, we will explore a privilege escalation vulnerability that I discovered on a test website, and how I bypassed the restrictions on an invited collaborator’s access to the project settings.

The Vulnerability
The vulnerability that I found was a privilege escalation flaw in the access control of the test website. The website required users to create a project first after signing up. As the owner of the project, I had full control over the settings and could invite other users to collaborate on the project. However, when I invited another test account to the project, I noticed that the account did not have access to the “Settings & Collaborators” feature in the project dashboard.

As the owner of the project, I was able to access the project settings with full privilege, but I needed to find a way to bypass the access control for the invited collaborator’s account. I began to explore other endpoints on the website, and found an option in the Dashboard named “Base Settings.” Here, I found the authentication settings for a project that I had created with the invited collaborator’s account, which was named “ji.” When I hovered my cursor over the “ji” hyperlink, It was possible to view the project ID in reflection.

Using this information, I changed the project role to “victim’s project” and went back to the Base Settings option. Here, I got the Authentication Settings for “victim’s project” by hovering my cursor over the project name hyperlink.

This allowed me to construct a URL: https://thejulfikar.sh/projects/XXX-victim's-project-id-XXX/settings, which granted me full access to the project owner’s privilege.

Lessons Learned

This experience taught me several important lessons. Firstly, it is crucial to conduct a thorough analysis of all available endpoints on a website to identify vulnerabilities. Secondly, it is important to think creatively and find ways to bypass access controls that may be in place. Finally, reporting vulnerabilities to the appropriate channels via HackerOne which is essential for ensuring that they are addressed and the security of the website is improved.

Conclusion

By following these steps, an attacker could bypass the privilege restrictions set on the platform and gain unauthorized access to project settings. This vulnerability could have serious consequences, including exposure of sensitive information or the ability to modify the project settings. In conclusion, the privilege escalation vulnerability that I discovered on the test website allowed me to bypass access controls and gain full privilege to the project owner’s account. This experience was a valuable learning opportunity and reinforced the importance of security research in today’s digital landscape.

“About the author: Muhammad Julfikar Hyder is a bug bounty hunter and cybersecurity enthusiast. You can follow them on Twitter at @thejulfikar for more security tips and updates on their latest findings.”