I Could Only Create Low-Privileged Users — Until One API Let Me Create a Super User

Introduction

User management is a critical feature in many enterprise applications. To maintain security, organizations implement Role-Based Access Control (RBAC), ensuring that users can only perform actions permitted by their assigned roles.

In many systems, certain users are authorized to create new accounts. However, this permission is often restricted to creating users with equal or lower privilege levels.

During a security assessment, I encountered a vulnerability where a low-privileged user was authorized to create new users but was only intended to assign limited roles. By modifying a single parameter in an API request, I was able to create a new account with Super User privileges.

No authentication bypass.

No stolen credentials.

The application simply trusted the role supplied by the client.

What is Unauthorized Role Assignment?

Unauthorized Role Assignment occurs when an application fails to validate whether a user is permitted to assign specific roles during account creation or modification.

Applications commonly use role identifiers to determine the permissions granted to users. When these identifiers are controlled by the client and not properly validated on the server, attackers may assign elevated privileges that exceed their authorization level.

Example (Sanitized):

{
  "username": "newuser",
  "roleCode": "AU"
}

{
  "username": "newuser",
  "roleCode": "AU"
}

The application was designed to allow the authenticated user to create accounts with limited privileges.

However, by modifying the request:

{
  "username": "newuser",
  "roleCode": "SU"
}

{
  "username": "newuser",
  "roleCode": "SU"
}

the server processed the request successfully and created a new Super User account.

At this point, the attacker does not need to compromise an existing administrator account.

The application creates one for them.

Root Cause

The vulnerability originated from several authorization weaknesses:

• Missing server-side validation for role assignments
• Trusting client-supplied role identifiers
• Lack of checks against the authenticated user's privilege level
• Improper enforcement of Role-Based Access Control (RBAC)

The core issue was straightforward:

The application verified that the user was allowed to create accounts but failed to verify what type of accounts they were allowed to create.

Authentication was enforced.

Authorization was not.

Attack Scenario

Consider a practical scenario.

An authenticated user with limited privileges logs into the application. According to business rules, this user is allowed to create only low-privileged accounts.

While creating a new user, the attacker intercepts the API request using an intercepting proxy.

The request contains a parameter responsible for assigning roles to the newly created user.

The original request contains:

"roleCode": "AU"

"roleCode": "AU"

The attacker modifies it to:

"roleCode": "SU"

"roleCode": "SU"

The modified request is forwarded to the server.

Instead of rejecting the request, the application successfully creates a new user with Super User privileges and sends the credentials through its normal workflow.

The attacker can now log in using the newly created account and access administrative functionality.

The system unknowingly provisions its own compromise.

Exploitation Methodology

A structured approach to identifying this vulnerability includes:

1. Identify User Creation Functionality

Locate APIs responsible for creating or managing user accounts.

2. Intercept Requests

Capture user creation requests using an intercepting proxy.

3. Analyze Role Parameters

Inspect request bodies for role-related fields such as:

• roleCode
• roleId
• accessLevel

4. Validate Authorization

Determine whether the server restricts role assignments based on the authenticated user's permissions.

The severity of this issue depends on the privileges granted to the created account.

Impact

Improper role assignment can have serious consequences:

• Unauthorized creation of privileged accounts
• Violation of Role-Based Access Control (RBAC)
• Access to administrative features
• Exposure of sensitive information
• Persistent privileged access
• Increased risk of lateral movement within the application

Unlike temporary privilege escalation, newly created privileged accounts can remain active until detected and removed.

Mitigation Strategies

Preventing unauthorized role assignment requires strong server-side controls.

1. Enforce Server-Side Authorization

Validate every role assignment against the authenticated user's permissions.

2. Restrict Privileged Role Assignment

Only authorized administrators should be permitted to assign elevated roles.

3. Remove Client Control

Role assignments should be determined or validated by the server rather than trusting client-supplied values.

4. Implement Least Privilege

Users should only be able to create accounts with permissions equal to or lower than their own authorization level.

5. Audit User Creation Activities

Monitor and log all account creation events and privileged role assignments.

Conclusion

Role-Based Access Control is effective only when enforced consistently.

Allowing users to create accounts is not inherently risky. Allowing them to decide the privileges of those accounts without proper validation is.

When applications trust role identifiers supplied by the client, attackers do not need to steal administrative access.

They simply create it.

Security is not just about verifying who a user is.

It is equally about verifying what they are allowed to do.