Accessing Admin Dashboards With Broken Authentication

Illustration of an exploiter

Contents

Description

Broken authentication occurs when an application's mechanisms are implemented incorrectly, allowing attackers to compromise user identities. This vulnerability can lead to unauthorized access to user accounts and sensitive data, potentially enabling malicious actions on behalf of compromised users.

Attacker's Thought Process

In this discussion, we'll address the Execution After Redirect (EAR) vulnerability, which can be exploited to bypass authentication and Single Sign-On (SSO) mechanisms. By taking advantage of an EAR vulnerability, an attacker can ignore redirects on web pages that display a complete data response, even if the attacker is not authenticated or authorized through SSO.an attacker can ignore redirects on web pages that display a complete data response, even if the attacker is not authenticated or authorized through SSO

The web server might issue a 302 Found status code; however, the response could be large and present data as though the attacker has been authenticated. Sometimes, the redirect can be executed on the client-side using a <meta> or <script> tag.

Reconnaissance

An attacker can initiate custom content discovery within a web application by employing "structured fuzzing." This approach tailors the fuzzing to the technology and path structure of the web application. If the application uses PHP as its technology and is presented in the Spanish language, it's essential to fuzz PHP-related files in Spanish. To effectively achieve this, it's advisable to spider the website and construct a custom wordlist, enhancing fuzzing results. One can spider the web application using GoSpider to collect paths and files, and then use FFUF to fuzz the application after creating a custom wordlist.

Below is a typical FFUF command used for this purpose:

FFUF

After the fuzzing is completed, if the EAR vulnerability exists, the results will display a 302 status code accompanied by a large response.

FFUF

Exploitation

After identifying the EAR vulnerability, one must utilize the Match and Replace rules in the BurpSuite proxy. Since a "302 Found " the response typically includes a "Location " header, an attacker can use the Match and Replace rules in BurpSuite to bypass the redirect by removing the Location header from the response.

Replace Location header To Avoid Redirect

Replace BurpSuite

After setting the "Location" header to be replaced, the attacker can then access the administrative URL previously discovered through fuzzing, such as "https://www.bugnode.ltd/administrator/seo_admin.php". This will reveal the administrator's functionality to upload a picture.

SEO Admin Picture Upload

SEO

This eventually resulted in Remote Code Execution on the web server, as a PHP file could be uploaded due to an Unrestricted File Upload vulnerability in this feature.

SEO Admin Picture Upload

RCE

Bypassing SSO Through The Same Approach

In another web application assessment, the system appeared to be safeguarded by Single Sign On (SSO), requiring attackers to use their corporate credentials for access. However, exploiting the EAR vulnerability through our previously explained approach made it possible to access user reports.

Identifying EAR Vulnerability

EAR

As seen in the previous picture, the BurpSuite proxy shows a "302 Found" status code accompanied by a large response and redirects to the SSO via Microsoft.

Identifying EAR Vulnerability

Replace Microsoft

By configuring the "Location" header for replacement, the redirection to Microsoft's SSO is bypassed, granting access to the web application.

Access To Previously Found /user/reports

Dashboard Access

Mitigation Strategies

  • Proper Termination: Always ensure proper termination after redirects. This means that in functions, a return should be executed after a redirect.
  • Use Termination Functions: In certain cases, functions like die() should be used after a redirect. This ensures that the application terminates regardless of whether the page is redirected.
  • Avoid Relying Solely on Client-Side Redirects: Using only client-side methods like JavaScript for redirection can be bypassed by attackers. Always ensure server-side checks and redirects are in place.

How We Welp

At BugNode, we specialize in uncovering web application vulnerabilities through meticulous vulnerability research. We utilize a tailored approach and testing methods that adapt to your application to detect and reinforce potential weak points, safeguarding your digital assets against phishing and malware threats—partner with us for a proactive defense strategy that secures your web applications and protects your data.

Sources