Authorization 05
This exercise is one of our challenges on Authorisation issues
In this exercise, we review a Ruby web application where the developer attempted to fix a previous vulnerability that allowed the creation of users with admin privileges. The initial bug is addressed by setting the admin field to zero during user signup, preventing unauthorized admin account creation. However, the update_profile endpoint remains vulnerable. By exploiting the update_attributes method, an attacker can still map arbitrary HTTP parameters to object attributes, including the admin field. This oversight allows the attacker to elevate their privileges to admin by setting the admin attribute to one in the update_profile request.
A thorough code review reveals that although the signup endpoint has been secured, the same level of scrutiny was not applied to the update_profile endpoint. The application allows users to update their profile without sanitizing the input parameters, specifically the admin attribute. This gap can be exploited to gain unauthorized admin access, highlighting the importance of comprehensive input validation and output encoding in web applications.