Privilege Escalation via Registration Feature Writeup

👋 Hello, fellow security geeks!

Sometimes, the biggest vulnerabilities hide in the most basic features. Recently, I was testing a web application when I stumbled upon a critical privilege escalation bug — all because the system trusted user input a little too much.

🧐 The Discovery

I was casually testing a web application when I decided to take a closer look at its registration process.

Nothing fancy — just the usual fields: name, username, email, phone, password, and… a Role field. That instantly caught my attention.

Most applications don’t allow users to self-assign roles during registration. The server should automatically set it to a default value, like “User.” But what if I could change it?

I modified "role": "User" to "role": "Admin" and forwarded the request.

I checked my newly created account, logged in… and yay — I am an Admin! No privilege checks, no approval process, just instant escalation. I now had access to admin-only management features, including Products, Orders, Discounts, Categories, User accounts, Product pickup requests.

🚨 Why This Happens?

This kind of vulnerability occurs when role assignments rely on user input instead of being enforced server-side. The application should ignore any role parameter provided by the user and assign roles securely based on predefined logic. The server should ignore or sanitize any Role field provided in the request.

I hope this write-up helps developers and security professionals stay vigilant against similar issues. Stay secure, and happy hunting! 🔎💻