Open in app

Sign in

Write

Sign in

0xEbn-Taimia
3 min readMay 13, 2024

Broken Access Control leads to Take Admin Role

بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ | In the name of God, the most gracious, the most merciful

Hello hackers, My name is Momen samir (0xEbn-Taimia), Today i’ll be discussing a bug that i recently found with my friends by collaboration on bugcrowd

So lets git in to it , First the tools we used :

1- Subfinder (with API keys to collect more subdomains)

2- FFUF ( To fuzz for endpoints)

3-Burp suite ( a proxy tool to intercept the requests )

  • - First we collect the subdomains and we found a subdomain named :

https://mktgadt.example.com

The response from that subdomain was 404 not found with content lenght 0 zero

  • - But always fuzz may you find something, here we used ffuf

ffuf -w /home/kali/Desktop/wordlist/fuzz.txt -recursion -u https://mktgadt.example.com/FUZZ

After fuzzing we found an interesting endpoint with response 200 ok :

https://mktgadt.example.com/audience/login

The endpoint was an admin login page and there was a create account option !!!!

We immediately created the account but its normal user with no privilege with type : viewer

  • now we try to show the create account request in burp and we notice that the parameter “type” is existing in the request

what if we change the parameter value to admin ?

  • Booom ! we are admin and we can see the admin interface

there was more than one type and we can make account with any type :

  • 1- super-admin ( edit or delete or change privilege )
  • 2- admin ( delete)
  • 3- editor (can edit activity )
  • 4- viewer (just view )

now with super admin account try to edit any account privilege to see its work or no and,

its work !

We immediately report it to bugcrowd as P1 and it got triaged in just 5 minutes

but unfortunately the website team tell us that this finding had been fixed prior to this submission being accepted on their end

But how and it got triaged in just 5 minutes and the bug was fixed in less than 1 day

and they tell us that them still wanted to have a gesture of gratitude with us and decided to award us with a P4 bounty as this finding helped establish a communication channel with the owning team

we didn’t get the bounty we expected but in the end we can’t stop saying:

Thank god | الْحَمْدُ لِلَّهِ

Bug Bounty
Cybersecurity
Hunting
Bug Bounty Tips
Penetration Testing
0xEbn-Taimia

Written by 0xEbn-Taimia

104 Followers

Junior bug hunter

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams