The easiest way I used to bypass an admin panel
In this story I’m explaining a vulnerability that I reported to a program in Hackerone, my english is not perfect and its not my mother language so please never mind if I have some problems with the grammar, all I need is you to understand what Im talking about exactly.
A few months ago my friend MoSec recommended me to learn a vulnerability called HTTP Request Smuggling, normally I don’t like to learn about classic vulnerabilities because many people are looking for them.
However I started to learn it and I was testing it on my main target, I have a target that everything I learn new, I will test on it.
The target is a private program so I can’t disclose nothing about it, it has an admin panel which secured with a 0auth proxy panel, I don’t know how is that thing works exactly, but for a non authenticated user here is what you see when you visit https://admin.target.com/
The proxy somehow was recognizing the unauthenticated user, then requiring the user to login with google.
I knew thats a proxy panel, you may find yourself logged in if you bypass the page that requires you to login with google.
I tested my learned HTTP request smuggling skills on that endpoint to bypass the proxy panel, here is an example of the http request I sent to the admin panel:
GET /test?a=a% HTTP/1.1
Host: admin.target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
GET /admin/login HTTP/1.1
Host: admin.target.com
This http request actually sends a multiple http request by one request, the http response will contains 2 responses at one response, theres nothing wrong with that and its an HTTP feature, just focus on the second request that I have not used any User-Agent headers.
The http request was actually HTTP/2 but I converted it to HTTP/1.1, when you see this request you may say what a trash request, especially if you know that’s not a correct way to exploit HTTP request smuggling, but when I saw the http response its shocked me because the panel that was requiring me to login with google it disappeared and I saw another login panel which same as normal users login panel.
I reported the vulnerability to the program, reviewed the program policy If you reach a normal login panel please let us know on the admin panel
they are telling and that’s what exactly I did.
I have reported the vulnerability to the program with a title HTTP request smuggling leads to bypass admin panel proxy panel
, they triaged the report in less than 10 minutes, updated the severity to critical and I was staring at the report because I was shocked why is that a critical issue.
Then one of the program triagers responded and told me actually if I was logged in to the normal admin panel login with my normal user credentials that created on www.target.com for my own account, I was able to act as admin by logging in to the admin panel, I was able to modify everything for the website and thats why they updated the severity to critical.
After a minutes later they told me actually the admin panel is actually not bypassed because my junk http request, the admin panel is bypassed because I didn’t use any User-Agent http headers, and the http request I used as poc is totally different thing, actually the attacker is able to bypass the proxy panel by only removing its User-Agent header and I was like WTF is going on?
Whatever, here is the HTTP request to exploit the vulnerability:
GET /admin/login HTTP/1.1
Host: admin.target.com
And you should see the normal website login page in admins login endpoint, also removed the proxy login page that requires logging with google.
The vulnerability resolved and 4 digit bounty awarded in only 1 hour, the program was awesome and they really appreciated me, and I appreciating my friend MoSec for suggesting me to learn HTTP request smuggling, the vulnerability wasn’t http request smuggling but I found it by testing this vulnerability type.
Some times you looking for a gate, you may not find it but you find another gate by looking for the first gate.
I hope you all liked the weird story, here you can follow my twitter if you want to read more stories: https://twitter.com/siratsami71