Accessing Admin Dashboards With Broken Authentication
Description
Broken authentication occurs when an application's mechanisms are implemented incorrectly, allowing attackers to compromise user identities. This vulnerability can lead to unauthorized access to user accounts and sensitive data, potentially enabling malicious actions on behalf of compromised users.
Attacker's Thought Process
In this discussion, we'll address the Execution After Redirect (EAR) vulnerability, which can be exploited to bypass authentication and Single Sign-On (SSO) mechanisms. By taking advantage of an EAR vulnerability, an attacker can ignore redirects on web pages that display a complete data response, even if the attacker is not authenticated or authorized through SSO.an attacker can ignore redirects on web pages that display a complete data response, even if the attacker is not authenticated or authorized through SSO
The web server might issue a 302 Found
status code; however, the response could be large and present data as though the attacker has been authenticated. Sometimes, the redirect can be executed on the client-side using a <meta>
or <script>
tag.
Reconnaissance
An attacker can initiate custom content discovery within a web application by employing "structured fuzzing." This approach tailors the fuzzing to the technology and path structure of the web application. If the application uses PHP as its technology and is presented in the Spanish language, it's essential to fuzz PHP-related files in Spanish. To effectively achieve this, it's advisable to spider the website and construct a custom wordlist, enhancing fuzzing results. One can spider the web application using GoSpider to collect paths and files, and then use FFUF to fuzz the application after creating a custom wordlist.
Below is a typical FFUF command used for this purpose:
After the fuzzing is completed, if the EAR vulnerability exists, the results will display a 302 status code accompanied by a large response.
Exploitation
After identifying the EAR vulnerability, one must utilize the Match and Replace rules in the BurpSuite proxy. Since a "302 Found
" the response typically includes a "Location
" header, an attacker can use the Match and Replace rules in BurpSuite to bypass the redirect by removing the Location header from the response.
Replace Location
header To Avoid Redirect
After setting the "Location
" header to be replaced, the attacker can then access the administrative URL previously discovered through fuzzing, such as "https://www.bugnode.ltd/administrator/seo_admin.php
". This will reveal the administrator's functionality to upload a picture.
SEO Admin Picture Upload
This eventually resulted in Remote Code Execution on the web server, as a PHP file could be uploaded due to an Unrestricted File Upload vulnerability in this feature.
SEO Admin Picture Upload
Bypassing SSO Through The Same Approach
In another web application assessment, the system appeared to be safeguarded by Single Sign On (SSO), requiring attackers to use their corporate credentials for access. However, exploiting the EAR vulnerability through our previously explained approach made it possible to access user reports.
Identifying EAR Vulnerability
As seen in the previous picture, the BurpSuite proxy shows a "302 Found
" status code accompanied by a large response and redirects to the SSO via Microsoft.
Identifying EAR Vulnerability
By configuring the "Location
" header for replacement, the redirection to Microsoft's SSO is bypassed, granting access to the web application.
Access To Previously Found /user/reports
Mitigation Strategies
- Proper Termination: Always ensure proper termination after redirects. This means that in functions, a return should be executed after a redirect.
- Use Termination Functions: In certain cases, functions like
die()
should be used after a redirect. This ensures that the application terminates regardless of whether the page is redirected. - Avoid Relying Solely on Client-Side Redirects: Using only client-side methods like JavaScript for redirection can be bypassed by attackers. Always ensure server-side checks and redirects are in place.
How We Welp
At BugNode, we specialize in uncovering web application vulnerabilities through meticulous vulnerability research. We utilize a tailored approach and testing methods that adapt to your application to detect and reinforce potential weak points, safeguarding your digital assets against phishing and malware threats—partner with us for a proactive defense strategy that secures your web applications and protects your data.