This blog is about an interesting but weird privilege escalation that I encountered.

So, I was testing a web application, let’s call it www.example.com and I was looking for a privilege escalation.

Now, Two methodologies can find privilege escalation.

 1) Replacing session cookies

 2) Force browsing.

So I started testing using the first method, and I tested every endpoint but sadly found nothing.

So, I shifted to the second one, i.e. force browsing. I tried to force browsing the restricted URLs, but the server was redirecting to the dashboard page and again all restricted URLs were responding the same. This made to think that there is a tiny possibility that the application could have set weaker restrictions to restrict the user from accessing a certain restricted point. It could be like restrictions used to prevent path traversal.

So, I started looking for the bypasses for path traversal, and yeah, I ended up getting one bypass that worked, which was just to capitalize the first letter of the restricted path in the URL.

i.e.

Consider a URL: https://www.example.com/user –> restricted URL

Bypass: https://www.example.com/User –> Bypassed

So simply capitalizing the first letter of the file name, bypasses the restriction and, hence, application-wide privilege escalation.