Introduction
Hello everyone, how are you all doing? As you know, we solve PortSwigger Web Security labs on a daily basis. Today, we are covering the topic of business logic flaws in our 7th article. Specifically, we will be addressing the lab “Weak isolation on dual-use endpoint” from PortSwigger Web Security, providing a step-by-step practical solution.
Lab Description Of Weak Isolation On Dual-Use Endpoint
In this lab, there is a business logic flaw that requires us to escalate privileges from a normal account to an admin account. After escalating privileges, we need to delete Carlos’ account. The login credentials provided for the lab are username=wiener and password=peter.
There are two types of privilege escalations: vertical privilege escalation and horizontal privilege escalation. Vertical privilege escalation involves obtaining root/admin privileges, while horizontal privilege escalation grants access to another normal user’s account.
Lab Solution
So, first of all, access the lab. Once you have access, log in to your account using the provided credentials. After logging in, you will be redirected to the password change page. I have attached a screenshot of the page. We need to obtain admin user privileges through this page.
Now, I am changing my password from “peter” to “1234”. Before clicking on the “Change Password” button, I will intercept the request in Burp Suite.
POST /my-account/change-password
As you can see, it is a POST-based request and there is no password protection applied to it.
I tried to change the administrator’s password, but it didn’t work.
Then, I removed the current password from the intercepted request and tried to reset it with a new password. This time, my password got changed.
You can see the screenshot above for clarity.
Now we know that we can change the password even without the current password. So, I will set the username as “administrator” and forward this manipulated request to the browser.
username=administrator&new-password-1=1234&new-password-2=1234
I forwarded the request to the administrator, manipulated the data, and now I will continue in the browser.
As you can see, we have obtained administrator privileges and successfully logged in as an admin. Remember, when you change the password, make sure to log out of Wiener’s account and log in with the administrator account.
Now, we will solve the lab by deleting Carlos’ account.
We have successfully deleted Carlos’ account, and we have resolved the PortSwigger Web Security lab “Weak isolation on dual-use endpoint.”
If you haven’t already, please follow us on Twitter @masaudsec. If you want to learn more about web hacking, you can explore the web security section on our website. Thank you for reading.