Privilege Escalation via Mass Assignment on Registration

TaintedPort

Back to App
Vuln ID TP-022 Title Privilege Escalation via Mass Assignment on Registration Severity critical Type Privilege Escalation HTTP Method POST URL /auth/register Parameter is_admin Filename - Code Location backend/api/controllers/AuthController.php line 38

Description

The registration endpoint accepts an optional is_admin field. If is_admin=1 is sent, the new account is created with admin privileges.

Proof of Concept

{"name":"attacker","email":"[email protected]","password":"pass123","is_admin":1}

Remediation

Hardcode isAdmin to 0 for all registrations.