Broken Access Control leads to full team takeover and privilege escalation
Hello all,
Today I will share one of the most finding that I was interested in while finding it.
Our target provides teams with two privileges member and admin.
the team had some sensitive data like credit cards
After testing the functions I went to invite users function
the admin is the only one who can invite new members to the team
as you see there is a request to a Graphql with Cookies and Authorization header in the request
and the request parameters :
1- account id that holds the team id
2- inviteeEmailAddress: the email address of the user that will be invited
3- inviterId: the id of the admin of this team
4- roleName: it can hold between two values ( member or admin )
The first thing i tried is to remove the cookies and then the authorization header and I notices that the server responded with 200 ok and the request was processed successfully
and I received the invitation to my email successfully
so now we know that the request depends on the parameters only
There are two attack scenarios :
1- Privillige Escallation
as a member of the team, i can see the team id
so I only need to get the inviter id ( admin id )
but how can I get this user id ???
first, I found the admin email in the members section on the team page
so I started thinking about how to interact with him so the id may be Leaked in any request
Note that there are no public profiles for any user
after some digging, I decided to invite the victim user to join my team (hacker team )
After I sent an invitation to the victim account to join my team ( Hacker Team)
I noticed that his membership is pending for his confirmation then after I go through the burp suite history I found a request to get the team data so I repeated this request again and boom I found the victim id
note that I got the victim's id without any interaction from him
and then I sent the invite request again with the required parameters
finally, i received the invitation to my email and after accepting it I became an admin and take over the victim team with zero clicks from him