I hope your 2020 wasn’t that bad and you still gave your efforts to be productive.
In this short write-up, I would talk about how I was able to access every admin account in the same organization as well as cross-organization. It was done on a company that is very well-known in the developer’s community. However, I won’t mention its name as it is a private program.
So this is a digital signature website where anyone can send a document to sign to the other person. The application manages well its access control by differentiating proper roles and no inter-role leakages(Privilege escalation). It used traditional cookies for normal users and JWT sent in an “X-admin-token” header to identify admin, which according to me is the better way to manage roles if implemented correctly. However, there was one thing noticeable that, an admin can be a normal user too. This sprouted a series of doubt in me of how can this be happening.
Thus, after attaching burp to the browser, I read each and every request of how an admin user is getting the JWT even though he was using cookies. But to my surprise, a single request(as below) is serving a JWT to the admin without checking his cookies, just by supplying an ID that is public to the organization.
So any user can just execute a URL in his session and would get the JWT. Now the user can exchange this token to obtain “X-admin-token”.
To check whether admin APIs are accessible or not I checked this token and as expected the token didn’t work with most APIs, as access control policies were attached to it.
Adding more to my work, I started searching some APIs where I can use this token and after some time I found many from reading company’s documentation, one of them was leaking billing details of the organization.
- Privilege escalation in the organization.
- Privilege escalation across organizations where accountID must be known, which can be known if a person from a different company has sent you a document to sign.