Post by Securitum
6,439 followers
๐ฅ A profile picture endpoint. A hardcoded admin account. Full platform takeover. ๐ฅ Another one from a recent security audit, and this one was a ride! The web application seemed to be hardened from security perspective. Strong access controls, proper authentication. But buried inside was a tiny, "boring" feature: an endpoint that fetched user avatars from a popular project management platform. ๐ผ๏ธ ๐ผ๏ธ Turns out it was a blind proxy. It took a path parameter, "glued" it onto the platform's base URL, and forwarded the request, using a hardcoded service account with global admin privileges. So we swapped the avatar path for a permissions check. The answer came back, ADMINISTER: true. Escalation? You will find it in the article. ๐๐ The lesson keeps coming back in pentests: ๐งจ never trust client supplied API paths ๐งจ service accounts don't need global admin to fetch avatars ๐งจ if you must proxy, allow list the exact endpoints Maksym Hensitskyi wrote the full breakdown: https://lnkd.in/dTp4AGFY #CyberSecurity #InfoSec #PenetrationTesting #DevOps