Weirdest access control vulnerability I have ever found…
My name is Sirat, Im an active bug bounty hunter on Hackerone, in this story I would like to share a story about finding an access control vulnerability that allowed me to restrict admins from removing permissions for my account in the organization.
The target and its application
The target is an application which allows its users to create organization, to track their websites and many other features, its also allows admin to invite other users and create custom permissions for them.
I don’t know exactly how it is made and what kind of language they were using, but I know that the permission configs are could be very complex because its very weird vulnerability.
The vulnerability
I was exploring the permissions and I wast trying to find an access control vulnerability, just like any other researchers, I was regulary testing it, submitting to admin only endpoints with lower roles, and of course it’s too late for such exploitations and it was all forbidden until… something were interesting was happening.
I have just noticed, as admin when I remove a permission for the attacker eg viewing organization users, as attacker when I was trying to fetch the users from the API endpoint the response would take a little too long than usual.
Before the admin remove the permission, the API response was about 300ms, after the admin removed the permission the API response about more than 1000ms but only for first request after removing the permission, after that it will be same as usual 300ms…
I was thinking about why does it response too late, I believed its must do something from the backend, I really don’t know why it was working like that.
Just by random, I wanted to brute force the restricted API endpoint (the one used to fetch users and I didn’t have permission to) but before the admin remove the permission, here is what the request looks like:
GET /api/v2/users?limit=10&FUZZ HTTP/1.1
Host: api.target.com
…As you see I haved add FUZZ keyword since I use ffuf.
I started brute forcing it before the admin remove the permission for my account, of course I didn’t try any dos it was like 2 requests per second.
As admin I was successfully removed the permission from the attacker, as attacker I was no longer have it but the API endpoint which I used to be restricted from it was still working for me and I wasn’t being restricted from it while the permission was already removed for me, as long as I continue the brute force.
Here it is in short:
1. as attacker you must already have the permission
2. as attacker now try to brute force the API endpoint with null payloads you want to keep even after the admin remove its permission for you
3. while the brute force continues, as victim/admin remove the permission from the attacker
4. as attacker you still able to see the response of the restricted API and it works like that as long as you keep brute forcing it…
I don’t know what exactly caused this vulnerability but I can tell its one of the rarest access control vulnerabilities in the world.
I hope you enjoyed the story, don’t forget to follow on medium and twitter @siratsami71
