Mass Assignment -> Horizontal Privilege Escalation
Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm. Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.
Exploitation
This webaapp is vulnerable to mass assignment , which will allow attacker to access information that he doesn’t have permission.
Since we have been given a credentials, we will login to see how the application is working.
As you can see , we have access to company 1 information, but our goal here is to access company 2 information.
To do that, we will login again and intercept the request in burpsuite.
The application was submitting user[username]=user1&user[password]=pentesterlab. So If it’s vulnerable to mass assignment, and has company attribute, we can overwrite the company attribute by adding either user[company_id]=2 or user[company]=2 to our request.
Let’s try this trick with this payload user[username]=user2&user[password]=user2&user[company]=2
We got internal Server Error, which might be because of invalid attribute.
We will try again with company_id. Our payload will be user[username]=user2&user[password]=user2&user[company_id]=2
Done!.
Mitigations
- Use Data Transfer Objects (DTOs).