Exercise 31: Privilege Escalation Through Insecure Access Control

Objective

Learn how to exploit Improper Access Control vulnerabilities to escalate privileges and gain unauthorized access to administrative or higher-level user functions. Understand how to prevent these vulnerabilities using secure role-based access control (RBAC) and the principle of least privilege.

Scenario

You are testing a web application with different user roles: user and admin. Due to weak access control, an attacker can manipulate request parameters to escalate privileges and gain access to administrative features.

Lab Setup

Prerequisites:

• Basic knowledge of PHP and web applications.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

Database Setup

Create a database and users table:

CREATE DATABASE privilege_escalation_lab;
USE privilege_escalation_lab;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) NOT NULL,
    password VARCHAR(100) NOT NULL,
    role VARCHAR(20) NOT NULL DEFAULT 'user'
);

INSERT INTO users (username, password, role) VALUES ('alice', 'alice123', 'user'), ('admin', 'admin123', 'admin');

PHP Script for Login and Dashboard Access (Vulnerable)

Create a file login.php:

<?php
session_start();
$conn = mysqli_connect("localhost", "root", "", "privilege_escalation_lab");

if (isset($_POST['login'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
    $result = mysqli_query($conn, $query);

    if (mysqli_num_rows($result) > 0) {
        $user = mysqli_fetch_assoc($result);
        $_SESSION['username'] = $user['username'];
        $_SESSION['role'] = $user['role'];
        header("Location: dashboard.php?role=" . $user['role']);
    } else {
        echo "<h2>Invalid Credentials!</h2>";
    }
}
?>

<h2>Login</h2>
<form method="POST" action="">
    Username: <input type="text" name="username" required><br>
    Password: <input type="password" name="password" required><br>
    <button type="submit" name="login">Login</button>
</form>

PHP Script for Dashboard

Create a file dashboard.php:

<?php
session_start();
if ($_SESSION['role'] === 'admin') {
    echo "<h2>Welcome, Admin! You have full access.</h2>";
} else {
    echo "<h2>Welcome, User! Limited access granted.</h2>";
}
?>

Running the Application

• Start the Apache server.
• Place login.php and dashboard.php in the web server’s root directory (htdocs for XAMPP).
• Open http://localhost/login.php in your browser.

Exploitation Steps

Step 1: Privilege Escalation via URL Manipulation

Log in as alice (Username: alice, Password: alice123).

After login, the URL will be:

http://localhost/dashboard.php?role=user

Modify the URL to:

http://localhost/dashboard.php?role=admin

Expected Result:

• The user gains administrative access without proper authorization.

Step 2: Privilege Escalation via Hidden Form Field

Add a hidden form field in the login form:

<input type="hidden" name="role" value="admin">

Submit the form.

Expected Result:

• The user is logged in with admin privileges.

Solution and Prevention

Problem Analysis

• Role-based access control is handled on the client side, allowing manipulation of user roles.

Fixing the Vulnerability

Enforce Server-Side Role Verification

Modify dashboard.php to verify roles from the session, not the URL:

<?php
session_start();

if (!isset($_SESSION['role'])) {
    header("Location: login.php");
    exit();
}

if ($_SESSION['role'] === 'admin') {
    echo "<h2>Welcome, Admin! You have full access.</h2>";
} else {
    echo "<h2>Welcome, User! Limited access granted.</h2>";
}
?>

Implement Role-Based Access Control (RBAC)

Assign permissions based on roles:

function hasAccess($requiredRole) {
    return isset($_SESSION['role']) && $_SESSION['role'] === $requiredRole;
}

if (hasAccess('admin')) {
    echo "<h2>Welcome, Admin!</h2>";
} else {
    echo "<h2>Access Denied.</h2>";
}

Apply the Principle of Least Privilege

Users should only have the permissions necessary for their roles.

Use Secure Session Management

Regenerate session IDs on login to prevent session fixation:

session_regenerate_id(true);

Testing After Fix

Attempt to modify the URL parameter:

http://localhost/dashboard.php?role=admin

Expected Result:

Unauthorized users are blocked from accessing admin functionality.

Conclusion

In this lab, you exploited Insecure Access Control by modifying request parameters to escalate privileges. You also learned how to prevent this vulnerability by enforcing server-side role verification, implementing RBAC, and applying the principle of least privilege.