You are currently viewing Weak Isolation On Dual-Use Endpoint

Weak Isolation On Dual-Use Endpoint

Introduction

Hello everyone, how are you all doing? As you know, we solve PortSwigger Web Security labs on a daily basis. Today, we are covering the topic of business logic flaws in our 7th article. Specifically, we will be addressing the lab “Weak isolation on dual-use endpoint” from PortSwigger Web Security, providing a step-by-step practical solution.

Lab Description Of Weak Isolation On Dual-Use Endpoint

In this lab, there is a business logic flaw that requires us to escalate privileges from a normal account to an admin account. After escalating privileges, we need to delete Carlos’ account. The login credentials provided for the lab are username=wiener and password=peter.

There are two types of privilege escalations: vertical privilege escalation and horizontal privilege escalation. Vertical privilege escalation involves obtaining root/admin privileges, while horizontal privilege escalation grants access to another normal user’s account.

Lab Solution

Weak isolation on dual-use endpoint

So, first of all, access the lab. Once you have access, log in to your account using the provided credentials. After logging in, you will be redirected to the password change page. I have attached a screenshot of the page. We need to obtain admin user privileges through this page.

Weak isolation on dual-use endpoint

Now, I am changing my password from “peter” to “1234”. Before clicking on the “Change Password” button, I will intercept the request in Burp Suite.

Weak isolation on dual-use endpoint

POST /my-account/change-password

As you can see, it is a POST-based request and there is no password protection applied to it.

I tried to change the administrator’s password, but it didn’t work.

Then, I removed the current password from the intercepted request and tried to reset it with a new password. This time, my password got changed.

Weak isolation on dual-use endpoint

You can see the screenshot above for clarity.

Now we know that we can change the password even without the current password. So, I will set the username as “administrator” and forward this manipulated request to the browser.

username=administrator&new-password-1=1234&new-password-2=1234

Weak isolation on dual-use endpoint

I forwarded the request to the administrator, manipulated the data, and now I will continue in the browser.

Weak isolation on dual-use endpoint

As you can see, we have obtained administrator privileges and successfully logged in as an admin. Remember, when you change the password, make sure to log out of Wiener’s account and log in with the administrator account.

Now, we will solve the lab by deleting Carlos’ account.

Weak isolation on dual-use endpoint

We have successfully deleted Carlos’ account, and we have resolved the PortSwigger Web Security lab “Weak isolation on dual-use endpoint.”

If you haven’t already, please follow us on Twitter @masaudsec. If you want to learn more about web hacking, you can explore the web security section on our website. Thank you for reading.

To continue studying check out the next lab i.e. Insufficient Workflow Validation, cover the current lab before visiting the next lab. Good Luck!

Leave a Reply