From Cross-Subdomain Cookie Reuse to Becoming Super Admin

Understanding the Application

The application being tested provided each organization with a dedicated subdomain. For example, an organisation called cyberpro151 would receive cyberpro151.target.com. Within this subdomain, users could create new accounts, view customers, see orders, and remove existing users if they held super-admin privileges. The system included four roles: Super Admin, Admin, Lab Staff User, and Customer Support.

Notably, Super Admins could create additional super admins within their organisation. As part of a grey-box penetration test, the team received super-admin credentials for two different organisations, referred to below as attacker.target.com and victim.target.com.

Cross-Subdomain Cookie Exploitation

The attack began at victim.target.com's login page. The testers entered the attacker organisation's super-admin credentials and captured the authentication request to api.target.com:

POST /auth/sign-in?tenantId=<ID of Organization> HTTP/2
Host: api.target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://attacker.target.com
Content-Type: application/json
Content-Length: 58
Origin: https://attacker.target.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site

{"email":"attacker@gmail.com","password":"AttackersPassword"}

Captured successful sign-in response containing session credentials

The successful authentication response contained session credentials. The attackers then proceeded to victim.target.com, entered incorrect login credentials, and used Burp Suite to intercept and replace the failed response with the successful response from the attacker organisation.

Login request captured in Burp Suite on victim tenant

Burp Suite intercept menu showing the request being held

Original failed-login response before substitution

Replaced response: successful session credentials forwarded to the client

This cross-subdomain cookie reuse allowed them to authenticate as a super admin in the victim's environment.

Authenticated dashboard on victim.target.com

Though initially authenticated, the attackers could not view victim-organisation data. However, they discovered they could still perform administrative actions. Navigating to https://victim.target.com/app/administrator, they accessed an interface to add new administrators.

Administrator interface on the victim tenant

They created a new super-admin account and selected the Super Admin role. Upon submission, they received a confirmation email with credentials for this newly created account.

Selecting the Super Admin role when creating the new administrator

Confirmation email with newly-created super admin credentials

Using these fresh credentials to log in to victim.target.com, they gained full access to victim-organisation data with complete super-admin privileges.

Full access to victim organisation's data with super-admin privileges

Conclusion

This exploitation chain demonstrates a critical class of vulnerabilities in multi-tenant applications, where any attacker with Super Admin rights in their own organisation could escalate privileges in another, just by knowing the subdomain. The attack combined cross-subdomain cookie reuse with a broken access-control check on the administrator-creation endpoint to achieve full privilege escalation across a tenant boundary.

For engineering teams, the fix is two-layered: scope session cookies per-tenant (never at the parent domain), and enforce tenant authority on every privileged endpoint regardless of what cookie the client sent. Credit to HackerX007 for first presenting this technique at BSides Ahmedabad.