Each and every request make sense…

Hello Everyone,

I hope your 2020 wasn’t that bad and you still gave your efforts to be productive.

In this short write-up, I would talk about how I was able to access every admin account in the same organization as well as cross-organization. It was done on a company that is very well-known in the developer’s community. However, I won’t mention its name as it is a private program.

So this is a digital signature website where anyone can send a document to sign to the other person. The application manages well its access control by differentiating proper roles and no inter-role leakages(Privilege escalation). It used traditional cookies for normal users and JWT sent in an “X-admin-token” header to identify admin, which according to me is the better way to manage roles if implemented correctly. However, there was one thing noticeable that, an admin can be a normal user too. This sprouted a series of doubt in me of how can this be happening.

Thus, after attaching burp to the browser, I read each and every request of how an admin user is getting the JWT even though he was using cookies. But to my surprise, a single request(as below) is serving a JWT to the admin without checking his cookies, just by supplying an ID that is public to the organization.

User to Admin request

So any user can just execute a URL in his session and would get the JWT. Now the user can exchange this token to obtain “X-admin-token”.

To check whether admin APIs are accessible or not I checked this token and as expected the token didn’t work with most APIs, as access control policies were attached to it.

Adding more to my work, I started searching some APIs where I can use this token and after some time I found many from reading company’s documentation, one of them was leaking billing details of the organization.

Billing detials

Impact

  1. Privilege escalation in the organization.

Security Researcher