Application Analysis
CopyPast is a web application capable of managing code snippets and share them with the community. We can discover and explore shared snippets by the community.
Vulnerability Discovery
Before discovering the actual vulnerability, I tried a few potential broken access control issues in the API. First, I attempted to modify the ID parameter in PUT /api/snippets/10 requests to see if I could update snippets that I didn’t own. I also tested whether I could delete other users snippets by manipulating the DELETE /api/snippets/9 request. Unfortunately, neither of these attempts produced any results as the application properly validated the ownership for these operations.
Then I discovered the password reset functionality in the users account settings. I triggered the password reset functionality for my account and looked at the request in Caido. The request specified the user ID in the body parameter user_id of the PUT /api/profile/password request.
Exploitation
I changed it to the ID 4 and the password was updated successfully. This shows us that we can successfully take over any account. I checked the HTTP history again and found that the user admin has the user_id 1 and changed its password.
After successfully exploiting this broken access control vulnerability, I was able to login as the admin user and the flag is displayed in the title of a private snippet owned by the admin.
This vulnerability exists because the application fails to verify that the authenticated user is authorized to reset the password for the specified user_id. The server blindly trusts the user supplied user_id parameter, allowing any authenticated user to reset the password of any other account.