🔬Vulnerability Labs

Access control vulnerabilities

🌐 Resources 🔗

• 📽️ Broken Access Control (Long Version) - Rana Khalil

• WSTG-ATHZ-02 - Testing for Bypassing Authorization Schema

Unprotected admin functionality

Find the admin panel and delete the user carlos.

GET /robots.txt

# Response
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 45

User-agent: *
Disallow: /administrator-panel

Unprotected admin functionality with unpredictable URL

Find the unpredictable admin panel and delete user carlos.

• Admin panel found in the code of the / or /login page response for example

User role controlled by request parameter

Access the /admin panel and use it to delete user carlos.

Admin panel use a forgeable cookie to identify administrators.

User's creds: wiener:peter

• Send this request to the repeater and forge the cookie with Admin=true

• Delete user carlos once the admin panel login is bypassed.

• Burp Proxy interception (or browser Dev Tools) can be used too, while logging in, to set the Cookie to Admin=true, and to access the Admin panel from /my-account .

User role can be modified in user profile

App's /admin panel is accessible only to users with roleid = 2.

Access the /admin panel and use it to delete user carlos.

• Once logged in, update the email

• Send this POST request to the repeater and add "roleid:2" into the JSON body

• Browse to /admin and delete user

URL-based access control can be circumvented

External access to /admin panel is blocked at front-end. Back-end supports X-Original-URL header.

Access the /admin panel and use it to delete user carlos.

• Send a Request to / with an X-Original-URL header pointing top a non-existing resource

  • With re response 404 Not Found it means the app supports the special request headers

• Send an allowed URL as main and the real target in the X-Original-URL

• Delete user using the X-Original-Url header

Method-based access control can be circumvented

App's access control is based on the HTTP method of requests.

Admin creds: administrator:admin.

Login with wiener:peter credentials and exploit the access control to promote the user to an administrator.

• Login as administrator, promote carlos and send the request to the repeater

• Login with wiener in an incognito windows and get the session cookie. Input the session cookie in the existing repeater request -> Unauthorized

• Change the method to POSTX -> Missing parameter 'username'

• Right click on the request and convert it to GET with Change request method

  • Set the username to wiener and send it

  • GET method is allowed

• wiener user has access to the admin panel now

User ID controlled by request parameter

Login with wiener:peter credentials and exploit the horizontal privesc vulnerability on the account page to get carlos's API key.

• Login as wiener and send the request to the repeater

• Change the id to id=carlos and send the GET request to get the Carlos's API key

• Click the Submit solution button and paste the API key to solve the lab - eXXoHWSpwaZpxBAXr7MbVt9GMoEuCpy9

User ID controlled by request parameter, with unpredictable user IDs

The app identifies users with GUIDs.

Login with wiener:peter credentials and exploit the horizontal privesc vulnerability on the account page to get carlos's GUID and API key.

• Find a carlos blog post and get its user ID. /blogs leaks the account's userID

• Login as wiener, go to the account page and send the request to the repeater

• Change the id to id=fe62ab1c-3eb7-47b8-862b-1c1c47a5490c and send the GET request to get the Carlos's API key

• Click the Submit solution button and paste the API key to solve the lab - p3UtBNlmwKtAnEf0PKgBcW9sPQNJcMLq

User ID controlled by request parameter with data leakage in redirect

The app leaks sensitive information in the body of a redirect response

Login with wiener:peter credentials and exploit the access control vulnerability to get carlos's API key.

• Login as wiener, access the account page via browser and change the id to id=carlos and send the GET request to get the Carlos's API key

• This request is redirected to the login page. Check the redirect body content in BurpSuite and find the carlos API key

• Click the Submit solution button and paste the API key to solve the lab - ah9Nwj1bvuWv5uvWPK86EBHZCnghqRHe

User ID controlled by request parameter with password disclosure

The user account page leaks password in a masked input.

Login with wiener:peter credentials, retrieve administrator password and delete carlos user.

• Login as wiener and access the account page

• Change the id to id=administrator and check the response containing the administrator's password

• Login as administrator:dta5qwrsg998j416zqh0 and delete carlos

Path traversal

🌐 Resources 🔗

• 📽️ What is Directory Traversal? - Intigriti

• 📽️ Directory Traversal attacks are scary easy - TCM

• 📽️ Directory Traversal Playlist- z3nsh3ll

• 📽️ Directory Traversal (Long Version) - Rana Khalil

• WSTG-ATHZ-01 - Testing Directory Traversal File Include

Simple case

Open BurpSuite - Turn off the intercept - Open its internal Browser and open the lab link - Check HTTP history for intercepted requests - Check Images in the Filter settings

• Find a fetched product image Request

  • right click on it and Send to Repeater, or select it and press CTRL+R

• Change the Request

Traversal sequences blocked with absolute path bypass

The app blocks path traversal sequences but treats the filename as relative to a default working directory.

Traversal sequences stripped non-recursively

The app strips path traversal sequences from the supplied filename before using it.

Traversal sequences stripped with superfluous URL-decode

The app blocks input containing path traversal sequences and then performs URL-decode before using it.

• With ../../../etc/passwd it does not work

• Use BurpSuite Decoder to double URL-Encode the ../../../etc/passwd string

  • \ / should always be encoded

Validation of start of path

The application transmits the full file path and validates that it starts with the expected folder.

Validation of file extension with null byte bypass

The app validates the supplied filename end with expected file extension.

• Use a null byte character \0 to represent the end of the string

  • ../../../etc/passwd\0.png > ..%2f..%2f..%2fetc%2fpasswd%00.png

  • the O.S. requests retrieval of the string, it assumes the string is terminated after passwd