This article is a summary of problems that occurred in actual projects. To put it simply, it is an authorization bypass problem, and the administrator account is mistakenly taken over.
The details are as follows. Our projects usually have user authentication functions , and different users have different permissions. Relatively speaking, the administrator account has extremely high permissions. It can modify the current user or account information with lower permissions than it. If the processing here is not rigorous enough, permissions-related issues will arise.
For example, the problem I encountered on my project was that authenticated users with the " Admin" role could change the password of the current admin account using a combination of the update user information method and the " Forgot Password " feature, giving them full control of the account? .
This picture shows the process of this vulnerability
On the login page, the admin user uses his or her account email address and password to log in.
Successfully enter the main page and jump to the user management page
Note: Administrator users can modify email addresses without any restrictions, so even if the domain name of the email is modified (@example.com -> @xxx.com) it is legal
After saving
Re-enter the login page. At this time, the email address has changed to the attacker's email address (the attacker does not know the password at this time). Click Forgot Password to reset the password?
The password is reset and the attacker now has a fully legitimate administrator account
Successfully logged in using modified information 
At this point, the attacker can conduct network attacks, including maliciously tampering with environment configurations (including product information, specific data, database configurations, and system runtime parameters). And since the attacker has administrator rights at this time, the damage caused will be very huge.
<input type="text" value="email" disabled="emailUpdatable"/>
checkEmailUpdatability() {
this.emailUpdatable = (this.user.role !== 'administration' && !lodash.endsWith(this.user.email, '@example.com'));
}
As shown in the above code, monitor user permissions and user email domain names. This limits the ability of users with administrator rights to modify email addresses at will. The email address of the administrator user is protected and cannot be changed to the attacker's email address, and the attacker cannot obtain administrator privileges through the forgotten password function. Non-administrator users have lower permissions and will not cause damage to the project even if they are exposed.