A Easy Vertical Privilege Escalation via Session Storage

Amjad Ali
4 min readSep 15, 2023

--

Hey everyone šŸ‘‹,

I hope all is well. After a gap of one month, Iā€™m back with another write-up. If you missed my previous story, ā€œA High-Impact Payment Bypass on a Government Website ā€” A Tale of Business Logic Flaw Exploitationā€ you can catch up on it here:- https://amjadali110.medium.com/a-high-impact-payment-bypass-on-government-website-a-tale-of-business-logic-flaw-exploitation-b158feb7826a
In this write-up, I want to share the story of my recent discovery, Vertical Privilege Escalation via Session Storage, which I discovered on a private program and got 3($$$) digits bounty. So, without further more delay, letā€™s dive into the details.

This was a CRM portal, and it had two different user roles: Normal User and Admin. As part of my testing, I logged in using a Normal User account to explore the functionalities of the web app. Normal Users had only limited resources and features access and couldnā€™t modify data within the portal. While surfing through the website, I checked the Local Storage and Session Storage. In the Session Storage, I saw the ā€œuserPermissionsListā€ object, which contains a JSON array of user permissions.

So, I quickly logged in as an admin account. Admins had complete access to resources and features and could modify data within the portal. I also checked the Session Storage within the admin account and compared the admin and normal user ā€œuserPermissionsListā€ objects, which contained JSON arrays of user permissions.

The initial permissions for a normal user look like this:

[
{"permissionId": 1, "permissionName": "CanGetApplicants"},
{"permissionId": 5, "permissionName": "CanGetUsers"},
{"permissionId": 8, "permissionName": "CanGetApplications"},
{"permissionId": 9, "permissionName": "CanResendEmails"},
{"permissionId": 18, "permissionName": "CanGetCustomers"},
{"permissionId": 22, "permissionName": "CanGetUserActivity"}
]

The initial permissions for a admin look like this:

[
{"permissionId": 1, "permissionName": "CanGetApplicants"},
{"permissionId": 2, "permissionName": "CanCreateApplicants"},
{"permissionId": 3, "permissionName": "CanUpdateApplicants"},
{"permissionId": 4, "permissionName": "CanManageAccounts"},
{"permissionId": 5, "permissionName": "CanGetUsers"},
{"permissionId": 6, "permissionName": "CanCreateUsers"},
{"permissionId": 7, "permissionName": "CanUpdateUsers"},
{"permissionId": 8, "permissionName": "CanGetApplications"},
{"permissionId": 9, "permissionName": "CanResendEmails"},
{"permissionId": 10, "permissionName": "CanGetDocuments"},
{"permissionId": 11, "permissionName": "CanUploadDocuments"},
{"permissionId": 12, "permissionName": "CanCreateIndividualInvitations"},
{"permissionId": 14, "permissionName": "CanQueryIndividualInvitations"},
{"permissionId": 15, "permissionName": "CanGetBulkInvitations"},
{"permissionId": 16, "permissionName": "CanUploadBulkInvitationsFile"},
{"permissionId": 17, "permissionName": "CanUpdateFormStatus"},
{"permissionId": 18, "permissionName": "CanGetCustomers"},
{"permissionId": 19, "permissionName": "CanResendInvitations"},
{"permissionId": 20, "permissionName": "CanResendEvaluations"},
{"permissionId": 21, "permissionName": "CanResendManualReviews"},
{"permissionId": 22, "permissionName": "CanGetUserActivity"},
{"permissionId": 23, "permissionName": "CanGetDeliveredDocuments"},
{"permissionId": 24, "permissionName": "CanGetBillingTables"},
{"permissionId": 25, "permissionName": "CanGetBillingTableHistoricalRecords"},
{"permissionId": 26, "permissionName": "CanGetBillingTableDraftUpdateRecords"},
{"permissionId": 27, "permissionName": "CanGetFeedbacks"},
{"permissionId": 28, "permissionName": "CanUpdateBillingTables"},
{"permissionId": 29, "permissionName": "CanUpdateUserEmail"},
{"permissionId": 30, "permissionName": "CanGetTemplates"},
{"permissionId": 31, "permissionName": "CanResendApplicationEmail"},
{"permissionId": 32, "permissionName": "CanDeleteUpcomingUpdates"},
{"permissionId": 33, "permissionName": "CanCreatePolls"},
{"permissionId": 34, "permissionName": "CanGetPolls"},
{"permissionId": 35, "permissionName": "CanUpdatePolls"},
{"permissionId": 36, "permissionName": "CanNotifyIndividualInvitations"},
{"permissionId": 37, "permissionName": "CanSendInvitationEmail"}
]

Upon reviewing these ā€œuserPermissionsListā€ objects, I discerned a potential vulnerability. To test it, I returned to the Normal User account.

Understanding Local Storage and Session Storage

Before diving into the vulnerability exploitation, itā€™s essential to grasp the concept of Local Storage and Session Storage.

What is Local Storage & Session Storage?ā€

LocalStorage and SessionStorage are browser storage features introduced in HTML5. It allows saving data in key-value pairs in web browsers via JavaScript. Usually, most of the browsers support up to 5MB browser storage and will enable us to save more data efficiently.

Attempting to Exploit the Vulnerability

With the collected information, I proceeded to the Normal User account and navigated to the ā€œSession Storageā€ section. Inside Session Storage, I located the ā€œuserPermissionsListā€ object, containing a JSON array of user permissions. I modified the Admin Account ā€œuserPermissionsListā€ object to Normal User in the Session Storage to gain admin-level access. After making these changes, I refreshed the page, and to my amazement, I gained unauthorized access to administrative-level resources and features, achieving an effortless Vertical Privilege Escalation.
I promptly reported this issue, and after two days, I received a response from the program managers, along with a three-digit bounty ($$$).

Itā€™s worth noting that many Bug Bounty Hunters overlook Local Storage and Session Storage. I strongly recommend always checking these storage mechanisms, as they may contain sensitive information such as JWT token, Email/Password, as well as PII etc.

I hope this write-up offers you valuable insights and aids you in your future endeavors. Thank you for taking the time to read about my experience. If you have any thoughts or questions, please feel free to share them in the comments section.

My Linkedin: https://www.linkedin.com/in/amjadali110/

--

--

Amjad Ali
Amjad Ali

Written by Amjad Ali

Cyber Security Enthusiast šŸ’» | 18y/o Ethical Hacker ā˜ ļø | CTF Player šŸŽÆ | Bug Hunter šŸŖ² | Web Developer šŸŒ

Responses (3)