Sunday, June 30, 2019

Hunting for Privilege Escalation with Burp Suite


In this blog post I would like to talk about a technique which can be used to find privilege escalation in web applications.

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.

We refer to vertical privilege escalation when a flaw allows a lower privileged user to access and/or modify data which should only be accessible to higher privileged users (administrators) and to horizontal escalation when it is possible to access resources granted to a similarly configured account (different user).
For this demo I will use Hackazon vulnerable web app VM from Rapid7.

Burp’s “Compare site maps” tool can be used to test for privilege escalation by comparing site maps generated with different users.

First create a new user in Hackazon named “User1” and create a new project in Burp with the same name. Login with User1’s credentials, browse around the site and then right click on the target and choose “Spider this host”. When the spidering is done, click on Logout and close Burp.


Then open Burp again and create a new project named admin.



 


 
Go ahead and login to the web app as admin/hackazon. Repeat the previous steps to spider the site. After the spidering is finished, right click on the target and choose “Compare site maps” tool.
 



For “Site Map 1” leave “Use current site map” and click Next, check “Include in-scope items only” and click Next.





For “Site Map 2” choose “Load from Burp project file” and select the file for User1’s project.






 



Check “Include in-scope items only” and for the rest of the options just click Next for defaults.









 



When the comparison is done we can see both site maps and visually identify the differences between the two with the help of color coding.
 

  


     
Looking at the “account” folder we can see the order "10000007" in admin’s sitemap, let’s try to access it from our User1 account.
Copy the order’s URL from Burp, login as User1 to the web app and paste the order URL in the browser.
Also we check that User1 does not have any orders placed.






 




 
We can now see admin’s order and confirm that the web app is vulnerable.

No comments:

Post a Comment