Each and every request make sense…

Hello Everyone,

I hope your 2020 wasn’t that bad and you still gave your efforts to be productive.

In this short write-up, I would talk about how I was able to access every admin account in the same organization as well as cross-organization. It was done on a company that is very well-known in the developer’s community. However, I won’t mention its name as it is a private program.

So this is a digital signature website where anyone can send a document to sign to the other person. The application manages well its access control by differentiating proper roles and no inter-role leakages(Privilege escalation). It used traditional cookies for normal users and JWT sent in an “X-admin-token” header to identify admin, which according to me is the better way to manage roles if implemented correctly. However, there was one thing noticeable that, an admin can be a normal user too. This sprouted a series of doubt in me of how can this be happening.

Thus, after attaching burp to the browser, I read each and every request of how an admin user is getting the JWT even though he was using cookies. But to my surprise, a single request(as below) is serving a JWT to the admin without checking his cookies, just by supplying an ID that is public to the organization.

Image for post
Image for post

So any user can just execute a URL in his session and would get the JWT. Now the user can exchange this token to obtain “X-admin-token”.

Image for post
Image for post

To check whether admin APIs are accessible or not I checked this token and as expected the token didn’t work with most APIs, as access control policies were attached to it.

Image for post
Image for post

Adding more to my work, I started searching some APIs where I can use this token and after some time I found many from reading company’s documentation, one of them was leaking billing details of the organization.

Image for post
Image for post

Impact

  1. Privilege escalation in the organization.
  2. Privilege escalation across organizations where accountID must be known, which can be known if a person from a different company has sent you a document to sign.

Written by

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store