A threat actor may perform unauthorized functions belonging to another user with a higher privilege level.

Clone this current repo recursively

git clone --recursive https://github.com/qeeqbox/horizontal-privilege-escalation

Run the webapp using Python

python3 horizontal-privilege-escalation/vulnerable-web-app/webapp.py

Open the webapp in your browser 127.0.0.1:5142

Login as John (username: john and password: john - The threat actor stole this account)

John has access to the tickets only

Logout

Login as Joe (username: joe and password: joe - The threat actor stole this account)

Joe also has access to the tickets and sysinfo

Code

This logic checks if the user is logged in, then it renders sections based on the user's access

@logged_in
def render_home_page(self):
    content = b""
    cookies = SimpleCookie(self.headers.get('Cookie'))
    if "access" in cookies:
        for access in cookies["access"].value.split(","):
            content += getattr(self, f"{access}_section" , None)()
    return BASE_TEMPLATE.replace(b"{{body}}",content)

Impact

Vary

Risk

• Session Hijacking
• Credential Theft

Redemption

• Client input validation
• Output encoding
• Browser built-in XSS preveiton

ID

cb251c97-067d-4f13-8195-4f918273f41b