While testing a real-world application, I came across a critical privilege escalation vulnerability that allows an Admin user to impersonate a Super Admin.
At first glance, the impersonation feature looked like a normal admin functionality — something many SaaS platforms use for support or debugging. But a small oversight in authorization turned it into a complete platform takeover vector.
The application provides an impersonation feature, allowing admins to log in as other users.
However, the backend fails to validate whether the Admin is authorized to impersonate high-privileged accounts (like Super Admins).
This leads to a simple but powerful flaw:
The system trusts user-controlled input (user ID)
- No proper RBAC (Role-Based Access Control) is enforced
- Result → Privilege Escalation to Super Admin
Step-by-Step Reproduction
step1: Login using a normal Admin account
step2: Navigate to the User Management section
step3: Try to impersonate any user
step4: Intercept the request using Burp Suite
step5:Locate the user ID in the request URL
step6:Replace it with the Super Admin user ID
step7:Forward the request
Result: The application allows impersonation of the Super Admin account
Proof of Concept (PoC):
POST /admin/users/super-admin-id/impersonate HTTP/2
Host: 111.huducloud.com
Cookie: session=your-session-cookie
User-Agent: Mozilla/5.0
Accept: text/html
Referer: https://111.huducloud.com/admin/users/
X-Csrf-Token: csrf-token
Content-Type: application/x-www-form-urlencoded
authenticity_token=auth-token
Key Manipulation:
- Replace super-admin-id with the target user ID
- No server-side validation → Request succeeds
Impact
This vulnerability is extremely critical because an attacker with Admin access can:
- Gain full Super Admin privileges
- Access and modify sensitive data
- Manage all users and permissions
- Change system-wide configurations
- Potentially compromise the entire platform
