Vulnerability Report - CSU1899

Privilege Escalation via 'localStorage' Manipulation

Cybersecurity Vulnerability Report

For Educational Purposes Only

Prepared for: Shoolini University DigiCampus

Prepared by: Divya Mohan (Cybersecurity Student)

Report ID: CSU1899-DMJ-0001

Date Reported: October 11, 2024

Severity: Critical

Status: Patched (December 2024)

Disclosure: Ethical, Post-Patch

Report Type: Vulnerability Assessment

Report Summary

This report documents a privilege escalation vulnerability discovered in the Shoolini University DigiCampus platform, which allowed unauthorized users to manipulate localStorage entries and escalate privileges to faculty-level access. The vulnerability has been patched as of December 2024.

Security Recommendations

✅ Enforce server-side role validation to prevent client-side manipulation.
✅ Implement token invalidation checks for modified session data.
✅ Use secure, HTTP-only cookies for authentication instead of `localStorage`.

Confidentiality & Legal Disclaimer

This research was conducted ethically and disclosed only after the vulnerability was patched. The researcher had no unauthorized access beyond the scope of ethical security testing. No proprietary information or unauthorized data was accessed, modified, or exfiltrated.

This report is publicly disclosed as part of the Ethical Hacking Academic Project, conducted under responsible disclosure guidelines to enhance cybersecurity awareness and improve platform security.

Confidential Security Report

critical vulnerability

1. Executive Summary

This report outlines the findings of a privilege escalation vulnerability discovered during a penetration test on the Shoolini University DigiCampus platform. The vulnerability allows unauthorized users to manipulate localStorage entries in their browser, leading to privilege escalation from student to faculty roles, thus granting unauthorized access to sensitive resources. This issue could lead to significant security breaches, including unauthorized access to confidential data such as student records, faculty resources, and grading systems.

The purpose of this report is to inform the organization of this security flaw and recommend actionable steps to mitigate the risk.

2. Scope

The scope of this penetration test was limited to the Shoolini University DigiCampus website. Testing was conducted with permission from the organization and focused on identifying security vulnerabilities, particularly those that could result in privilege escalation or unauthorized access to sensitive information.

3. Vulnerability Description

Vulnerability Type: Privilege Escalation

Attack Vector: 'localStorage' Manipulation

During testing, it was found that the platform stores critical user role information such as faculty, student, and userType in localStorage, a client-side storage mechanism. This allows users to directly manipulate these fields, resulting in unauthorized access to higher-privileged areas of the platform. This security flaw stems from the fact that the system trusts client-side data without sufficient server-side validation.

Steps to Reproduce:

Login as a student: Access the DigiCampus platform using valid student credentials.
Inspect localStorage: Open the browser's developer tools and inspect the localStorage for fields like faculty, student, and userType.
Manipulate the values:
- Set faculty: true, student: false, and userType: 'faculty'.
Refresh the page: After modifying the values, refresh the page to observe the escalation in privileges. The user is now recognized as a faculty member and has access to faculty-specific resources.

Impact:

Unauthorized Access: A student can escalate their privileges to a faculty member, gaining access to confidential resources such as student records, grades, and administrative tools.
Data Breach: This could result in the exposure of sensitive information, violating privacy regulations such as GDPR, and could lead to reputational damage.
Privilege Misuse: With access to faculty features, an attacker could alter grades or perform administrative actions on behalf of faculty members.

4. Timeline of Events

October 10, 2024: Initial discovery of client-side data manipulation vulnerability in localStorage.
October 10, 2024: Successfully escalated privileges from student to faculty by modifying localStorage values.
October 11, 2024: Detailed analysis of the impact and potential exploitation scenarios.
October 11, 2024: Report prepared and shared with the organization.

5. Vulnerability Analysis

Root Cause:

Client-Side Trust: The root cause of this vulnerability is the reliance on localStorage to store critical data related to user roles and access control. The server trusts the data sent from the client without verifying its authenticity or integrity.

Potential Exploits:

Role Escalation: Users can modify their role to gain unauthorized access to higher-privileged functions.
Data Breach: By gaining faculty access, users could view or modify sensitive information, such as student records and grades.
Operational Disruption: Misuse of administrative tools by unauthorized users could lead to disruptions in the platform’s operations.

Likelihood:

Given that the data in localStorage is accessible through standard browser developer tools, the likelihood of exploitation is high.

Severity:

This is a critical vulnerability, as it allows a non-privileged user to gain unauthorized access to sensitive and restricted resources.

6. Recommendations

Short-Term Fixes:

Server-Side Role Validation: Ensure that all role-based access control (RBAC) decisions are made server-side, that it, the server should never trust user-provided data, especially roles or permissions stored in localStorage.
Invalidate Modified Tokens: Implement checks that invalidate requests where critical data, such as roles or permissions, has been tampered with.
Session Handling: Use HTTP-only cookies to manage user sessions and roles, which are inaccessible to client-side scripts and prevent tampering.

Long-Term Recommendations:

Use Secure Tokens (eg: JWT): Implement secure, signed tokens like JSON Web Tokens (JWT) that encode user roles and other important data, and should be verified server-side to prevent tamperin-
Data Encryption in localStorage: If localStorage must be used, ensure that sensitive data is encrypted and integrity-checked using digital signature-
Conduct Regular Security Audits: Perform regular security audits and penetration testing to identify and mitigate vulnerabilities earl-
Train Developers: Ensure that the development team is trained on secure coding practices, particularly with respect to client-server trust boundaries and proper handling of sensitive data.

7. Conclusion

The privilege escalation vulnerability identified in the Shoolini University DigiCampus platform is a critical issue that could result in severe security breaches if left unaddressed. By allowing users to manipulate localStorage values, the platform inadvertently enables unauthorized access to sensitive areas reserved for faculty members. This vulnerability should be prioritized for immediate remediation, with emphasis on moving sensitive data handling from client-side storage to server-side validation.

I recommend that the organization implement the fixes and mitigations mentioned above as a priority to safeguard against exploitation and future attacks.

8. References

OWASP Top 10 (2023): https://owasp.org/www-project-top-ten/
X-Force Threat Intelligence Index (2023): https://www.ibm.com/security/xforce
JSON Web Tokens (JWT): https://jwt.io/

———————————— End of Report ————————————

### **1. Executive Summary** This report outlines the findings of a privilege escalation vulnerability discovered during a penetration test on the Shoolini University DigiCampus platform. The vulnerability allows unauthorized users to manipulate `localStorage` entries in their browser, leading to privilege escalation from student to faculty roles, thus granting unauthorized access to sensitive resources. This issue could lead to significant security breaches, including unauthorized access to confidential data such as student records, faculty resources, and grading systems. The purpose of this report is to inform the organization of this security flaw and recommend actionable steps to mitigate the risk. ### **2. Scope** The scope of this penetration test was limited to the Shoolini University DigiCampus website. Testing was conducted with permission from the organization and focused on identifying security vulnerabilities, particularly those that could result in privilege escalation or unauthorized access to sensitive information. ### **3. Vulnerability Description** #### **Vulnerability Type**: Privilege Escalation #### **Attack Vector**: 'localStorage' Manipulation During testing, it was found that the platform stores critical user role information such as `faculty`, `student`, and `userType` in `localStorage`, a client-side storage mechanism. This allows users to directly manipulate these fields, resulting in unauthorized access to higher-privileged areas of the platform. This security flaw stems from the fact that the system trusts client-side data without sufficient server-side validation. #### **Steps to Reproduce**: 1. **Login as a student**: Access the DigiCampus platform using valid student credentials. 2. **Inspect `localStorage`**: Open the browser's developer tools and inspect the `localStorage` for fields like `faculty`, `student`, and `userType`. 3. **Manipulate the values**: - Set `faculty: true`, `student: false`, and `userType: 'faculty'`. 4. **Refresh the page**: After modifying the values, refresh the page to observe the escalation in privileges. The user is now recognized as a faculty member and has access to faculty-specific resources. #### **Impact**: - **Unauthorized Access**: A student can escalate their privileges to a faculty member, gaining access to confidential resources such as student records, grades, and administrative tools. - **Data Breach**: This could result in the exposure of sensitive information, violating privacy regulations such as GDPR, and could lead to reputational damage. - **Privilege Misuse**: With access to faculty features, an attacker could alter grades or perform administrative actions on behalf of faculty members. ### **4. Timeline of Events** 1. **October 10, 2024**: Initial discovery of client-side data manipulation vulnerability in `localStorage`. 2. **October 10, 2024**: Successfully escalated privileges from student to faculty by modifying `localStorage` values. 3. **October 11, 2024**: Detailed analysis of the impact and potential exploitation scenarios. 4. **October 11, 2024**: Report prepared and shared with the organization. ### **5. Vulnerability Analysis** #### **Root Cause**: - **Client-Side Trust**: The root cause of this vulnerability is the reliance on `localStorage` to store critical data related to user roles and access control. The server trusts the data sent from the client without verifying its authenticity or integrity. #### **Potential Exploits**: 1. **Role Escalation**: Users can modify their role to gain unauthorized access to higher-privileged functions. 2. **Data Breach**: By gaining faculty access, users could view or modify sensitive information, such as student records and grades. 3. **Operational Disruption**: Misuse of administrative tools by unauthorized users could lead to disruptions in the platform’s operations. #### **Likelihood**: Given that the data in `localStorage` is accessible through standard browser developer tools, the likelihood of exploitation is **high**. #### **Severity**: This is a **critical** vulnerability, as it allows a non-privileged user to gain unauthorized access to sensitive and restricted resources. ### **6. Recommendations** #### **Short-Term Fixes**: - **Server-Side Role Validation**: Ensure that all role-based access control (RBAC) decisions are made server-side, that it, the server should never trust user-provided data, especially roles or permissions stored in `localStorage`. - **Invalidate Modified Tokens**: Implement checks that invalidate requests where critical data, such as roles or permissions, has been tampered with. - **Session Handling**: Use HTTP-only cookies to manage user sessions and roles, which are inaccessible to client-side scripts and prevent tampering. #### **Long-Term Recommendations**: - **Use Secure Tokens (eg: JWT)**: Implement secure, signed tokens like JSON Web Tokens (JWT) that encode user roles and other important data, and should be verified server-side to prevent tamperin- - **Data Encryption in `localStorage`**: If `localStorage` must be used, ensure that sensitive data is encrypted and integrity-checked using digital signature- - **Conduct Regular Security Audits**: Perform regular security audits and penetration testing to identify and mitigate vulnerabilities earl- - **Train Developers**: Ensure that the development team is trained on secure coding practices, particularly with respect to client-server trust boundaries and proper handling of sensitive data. ### **7. Conclusion** The privilege escalation vulnerability identified in the Shoolini University DigiCampus platform is a critical issue that could result in severe security breaches if left unaddressed. By allowing users to manipulate `localStorage` values, the platform inadvertently enables unauthorized access to sensitive areas reserved for faculty members. This vulnerability should be prioritized for immediate remediation, with emphasis on moving sensitive data handling from client-side storage to server-side validation. I recommend that the organization implement the fixes and mitigations mentioned above as a priority to safeguard against exploitation and future attacks. ### **8. References** - OWASP Top 10 (2023): https://owasp.org/www-project-top-ten/ - X-Force Threat Intelligence Index (2023): https://www.ibm.com/security/xforce - JSON Web Tokens (JWT): https://jwt.io/ ## ———————————— End of Report ————————————