文章描述了通过垂直权限提升漏洞利用Burp Suite工具绕过后台验证,在人力资源管理系统中使低权限用户直接批准请假请求的过程,并指出问题在于缺乏输入验证和授权检查。 2025-7-8 07:53:23 Author: infosecwriteups.com(查看原文) 阅读量:18 收藏
In this writeup I explained how broken access control vulnerability can escalate the rights of an account with low privilege to high privilege with the help of burp suite tool
Before demonstrating the vulnerability i would like to explain what is Vertical Privilege Escalation
Vertical Privilege Escalation
It’s one form of the broken access control vulnerability that makes the user with low privilege access to gain the access to do the actions beyond what they were supposed to do
One day I was testing one human resource management web app. To tell about webapp, it is an application where the information of the employees in an organization is stored and managed effectively. Each and every employees assigned with different roles based on the tier levels in the company
I was given test login credentials of an two accounts with the different privileges ,Lets say the two accounts be reportee and a reporting manager
Using the provided credentials ,First I logged in as reportee and played around the different features in an application
While testing I noticed one of the feature “Leave Request” where reportees able to request the leave from their corresponding reporting managers and the reporting managers able to approve or reject the reportee’s leave request
Using reportee account i made leave request to his reporting manager
While clicking the submit button i found the api using the chrome dev tool
Method: POST
I got the response like this
Proof of Exploitation
My Curious mind kicks in that what if I intentionally injected the parameter “status”:”Approved” in the post request and see what happens next
So I again requested the leave for the different date
But this time i’m going to intercept the post request in burp suite tool
As mentioned earlier now let’s inject the parameter value “status”:”Approved” in the POST request and see how it behaves
After exploitation here is how the changes being reflected from pending to approved status in the UI level from reportee leave request model
Here is the screenshot taken from the reporting manager leave request model in which the reportee’s leave request had been approved without the knowledge of reporting manager
Hahaha!!!😂😂
Steps To Reproduce
- Go to redacted.com (I’m not supposed to say the name of the web app)
- Login as reportee
- Click Leave request
- Fill the Leave request form
- Turn the intercept on in burp suite
- Addionally add “status”:”Approved” in the post request
- Forward it and see the response that reportees leave request had approved without reporting managers knowledge
In my view what’s causing this broken access control issue is instead of validating the user input backend blindly accepting the payload and acted upon it without proper authorization checks.If any reportee were aware of this vulnerability they need not to get leave request approval from their reporting manager instead they can approve their leave request on their own HAHAHA!!! 😂😂Jokes apart I reported this vulnerability to the consent platform and they started to fix it
If you find this writeup helpful to you please follow me for more writeups like this. See you all in next writeup!!!
如有侵权请联系:admin#unsafe.sh