Privileged User to Privilege Elevation

Stored Cross-Site Scripting (Privileged User to Privilege Elevation)

Overview of the Vulnerability

Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from a privileged user to a higher privileged user, which could include an Administrator level user.

When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.

Business Impact

Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Log into the application at with the privileged user account (User B)
Forward the following request to the endpoint:

{{request}}

Observe the JavaScript payload being executed
Log out of the privileged account (User B)
Log into a higher-privileged account (User A) and navigate to {{url}} which contains the payload
Log out of the higher-privileged account (User A) and log into the privileged account (User B)
Observe the privileged account (User B) has gained escalated privileges

Proof of Concept (PoC)

Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}:

Recommendations

All user input fields should be sanitized based on what the field is likely to contain. For example, a date of birth field should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server.

Encode outputs of HTTP responses to prevent them from being interpreted as active content.

Use appropriate HTTP response headers to ensure the browser correctly interprets responses. For example:

 x-content-type-options: nosniff
 Content-Security-Policy: default-src ‘self’; script-src ‘self’

Ensure access controls are managed on the principle of least privilege, and are routinely audited for unnecessary access.

For more information, please see:

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

PreviousPrivileged User To No Privilege Elevation NextSelf

Last updated 1 year ago