search

2016lisali / jacks_garden

A lovely online plant shop created with React
https://jacksgarden.netlify.app
7 stars 3 forks source link

Vulnerable Admin page, easy to privilege escalation! #1

Open morfyum opened 2 years ago

morfyum commented 2 years ago

Hi! LocalStorage is not a correct solution for User/Admin sessions.

All user can read data from Browser / Inspect / Application I see the whole user api response.

This is a test user session in local storage. userID: 3

{"user":{"userId":3,"firstName":"Test","lastName":"Test","email":"test@gmail.com","isAdmin":0,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQsImlzQWRtaW4iOjAsImlhdCI6MTY1NTA2MzYzMSwiZXhwIjoxNjU1MDcwODMxfQ.z_O54n3fkr2_suVDMxHNagfvJMv5PL-onETxNb6i8cE"}}

And This is an admin session in local storage. UserID: 144

{"user":{"userId":144,"isAdmin":1,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTQ0LCJpc0FkbWluIjoxLCJpYXQiOjE2NTUwNjQ2NTMsImV4cCI6MTY1NTA3MTg1M30.n9p3WWO5PIsSF4xld97XXNrfGShsWY6H5MeKUKrjbis","firstName":"test"}}

ISSUE 1.

If you overwrite isAdmin: 0 to isAdmin: 1, and open admin page (https://jacksgardenadmin.netlify.app/), you will get full access to the admin page!

How to reproduce

  1. Login as normal user
  2. Open developer tools in browser
  3. Navigate to Application
  4. Select The Storage / Local Storage
  5. Edit jg_user and overwrite isAdmin: 0 to isAdmin: 1

ISSUE 2.

If you overwrite userId: 3, to userId: 144 you can privilege escalate to Admin user, and you can do everything.

How to reproduce

  1. Login as normal user
  2. Open developer tools in browser
  3. Navigate to Application
  4. Select The Storage / Local Storage
  5. Edit jg_user and overwrite userId: 3 to userId: 144

ps: jg_user is overwritable too to jg_admin but I don't know, is this required for use this bug.

Btw, I like your work, The Admin panel looks very cool! ;)

Statistics, design, and api solutions good, just this issues is really dangerous. Have a nice day!

2016lisali commented 2 years ago

Thank you so much for the notice. Now the token will be stored in http-only cookies instead of localStorage, and I also fixed the two issues you mentioned above. I also noticed some other authentication issues and tried to fix them, so far so good. However, I need to do more tests. Thanks again and hope you all the best.

Hi! LocalStorage is not a correct solution for User/Admin sessions.

All user can read data from Browser / Inspect / Application I see the whole user api response.

This is a test user session in local storage. userID: 3

{"user":{"userId":3,"firstName":"Test","lastName":"Test","email":"test@gmail.com","isAdmin":0,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQsImlzQWRtaW4iOjAsImlhdCI6MTY1NTA2MzYzMSwiZXhwIjoxNjU1MDcwODMxfQ.z_O54n3fkr2_suVDMxHNagfvJMv5PL-onETxNb6i8cE"}}

And This is an admin session in local storage. UserID: 144

{"user":{"userId":144,"isAdmin":1,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTQ0LCJpc0FkbWluIjoxLCJpYXQiOjE2NTUwNjQ2NTMsImV4cCI6MTY1NTA3MTg1M30.n9p3WWO5PIsSF4xld97XXNrfGShsWY6H5MeKUKrjbis","firstName":"test"}}

ISSUE 1.

If you overwrite isAdmin: 0 to isAdmin: 1, and open admin page (https://jacksgardenadmin.netlify.app/), you will get full access to the admin page!

How to reproduce

  1. Login as normal user
  2. Open developer tools in browser
  3. Navigate to Application
  4. Select The Storage / Local Storage
  5. Edit jg_user and overwrite isAdmin: 0 to isAdmin: 1

ISSUE 2.

If you overwrite userId: 3, to userId: 144 you can privilege escalate to Admin user, and you can do everything.

How to reproduce

  1. Login as normal user
  2. Open developer tools in browser
  3. Navigate to Application
  4. Select The Storage / Local Storage
  5. Edit jg_user and overwrite userId: 3 to userId: 144

ps: jg_user is overwritable too to jg_admin but I don't know, is this required for use this bug.

Btw, I like your work, The Admin panel looks very cool! ;)

Statistics, design, and api solutions good, just this issues is really dangerous. Have a nice day!

Thank you so much for the notice. Now the token will be stored in http-only cookies instead of localStorage, and I also fixed the two issues you mentioned above. I also noticed some other authentication issues and tried to fix them, so far so good. However, I need to do more tests. Thanks again and hope you all the best.