Findings - HackMD

# Findings ## [Broken Access Control] Access Administration Section --- Risk Score: <span style="color:orange">5</span> (<- yellow) --- ### Prerequisites This vulnerability builds on the previously required administrator permissions. This could be achieved by logging in as `admin@juice-sh.op` or register as a user with the 'role' admin. Furthermore basic knowledge of manipulating URLs is nessesary and some guessing skills are helpful. As tools only the browser is required, optional an attacker could use the according development tools. ### Factual description A user needs to log in with the 'role' admin. From there on there are two ways to gain access to the administration website: 1. The development tools provide in the debugging section where the `main.js` is accessible. By looking at the path to the endpoints an endpoint named `administration` indicates a path to a site with sensible data. ![](https://i.imgur.com/0Ev7rus.png) By adding administration to the URL the user is able to get to the Administration section. 2. An attacker could also guess the URL by trying likely words which indicate and administration section. In both cases the URL looks like this: `http://localhost:3000/#/administration` Now the attacker can access a website with two sections: `Registered Users` contains all email addresses and the activity status of the according account. The second section `Customer Feedback` shows all feedback messages with the score. ![](https://i.imgur.com/MBdtPlz.png) ### Impact With the email addresses the user is able to access confidential information of all registered users. By a click on the eye it is possible to see their User ID and the time the account was created and updated. It is also possible to manipulate the customer feedback by deleting entries. ### Risk The user needs to be logged in with admin permissions, which should be to challenging to be really likely. Because this website is overall very insecure and registering as an admin only requires basic skills the prerequisites are in this case archievable. If the user has the right permissions there are no further obstacless to access the administration site, so overall the liklihood is classified as possible. The administration site shows data of all other registered users so confidentiality is not satisfied. Further the user is able to manipulate the score of the store and is able to influence their rating and their success. Therefore the impact is classified as high. So we overall get an risk score of 5. - unauthorized access ### Recommondation To protect the websites against users who already have access to the administration account, it is recommended to request additional authentification before giving access to the administration site. The access should always be denied by default so even admins need to prove their identity before they can access confidential data. JuiceShop validates the permissions just during the login, for more security it is recommended to validate the permissions on every request. Also the endpoint should have another name, so it is harder to guess.