Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Privilege Escalation Attack Vulnerability. #1387

Closed
7 tasks
entrotech opened this issue Jun 12, 2023 · 2 comments · Fixed by #1391
Closed
7 tasks

Bug: Privilege Escalation Attack Vulnerability. #1387

entrotech opened this issue Jun 12, 2023 · 2 comments · Fixed by #1391
Labels
bug Release Note: Shows as Error Correction features: Security Testing level: medium priority: MUST HAVE role: back-end Node/Express Development Task role: front-end Front End Developer size: 2pt Can be done in 7-12 hours

Comments

@entrotech
Copy link
Member

entrotech commented Jun 12, 2023
edited by azajzon
Loading

Overview

The City's Information Technology Agency (ITA) reported that a security vulnerability has been reported for the production web site https://tdm.ladot.lacity.org. Out application is vulnerable to a Privilege Escalation attack. A PDF of the email report is below in the Resources section. John Darragh has been able to reproduce the attack using Burpsuite to intercept the login response as described in the email, and confirmed that the attack allows the attacker to register as a user with no special privileges and then escalate their privileges to those of an Admin or Security admin by simple manipulation of the HTTP response to the registered user's account.

Action Items

  • Confirm the reported vulnerability. Confirmed by John Darragh. Also confirmed that the interception allows the attacker to actually act as an admin or security admin and perform escalated actions.
  • Disable the production website until the issue can be resolved.
  • Develop application modifications to prevent the attack.
  • Demonstrate that attack is thwarted.
  • Deploy fix and test in the development environment.
  • Release new version of the application.
  • Re-Enable the production web site.

Resources/Instructions

TDM Privilege Attack Vulnerability.pdf
@entrotech entrotech added bug Release Note: Shows as Error Correction role: front-end Front End Developer role: back-end Node/Express Development Task level: medium priority: MUST HAVE features: Security Testing size: 2pt Can be done in 7-12 hours labels Jun 12, 2023
@entrotech
Copy link
Member Author

entrotech commented Jun 12, 2023
edited
Loading

Read about Privilege Escalation attacks as linked in the description above.

To perform HTTP Request and/or Response Interception, you can use the Community Edition of Burpsuite. Work through the tutorials on how to intercept and modify the response as described in the referenced email. See if you can also reproduce the attack.

Do some research on how to prevent such attacks and we will get together on Wednesday to discuss options.

@Biuwa Biuwa mentioned this issue Jun 15, 2023
Open
This was referenced Jun 15, 2023
Closed
Closed
Merged
@entrotech
Copy link
Member Author

Here is a video demonstrating the attack before fixed:
https://drive.google.com/file/d/1Qb4C0jkX3_c_US-UbCTov0Dw2XoZhd1p/view?usp=sharing

And here is a video demonstrating the thwarted attack after the fix:
https://drive.google.com/file/d/1_1XEgWuUrmPkJywhvj4zSJWQyOSBk-z4/view?usp=sharing

@entrotech entrotech mentioned this issue Jun 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Release Note: Shows as Error Correction features: Security Testing level: medium priority: MUST HAVE role: back-end Node/Express Development Task role: front-end Front End Developer size: 2pt Can be done in 7-12 hours
Projects
P: TDM: project board
Archived in project
Milestone
No milestone
3 participants
@entrotech @azajzon @agosmou