Informaton Disclosure
Lab:~#Authentication bypass via information disclosure
Welcome to my write-up for the PortSwigger Web Security Academy lab on Authentication bypass via information disclosure! In this guide, I’ll show you how I tackled the lab, including how I found security issues and created solutions.
This lab’s administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end. To solve the lab, obtain the header name then use it to bypass the lab’s authentication. Access the admin interface and delete the user carlos.
What is information disclosure?
Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users.
End Goals:~#
- Obtain the header name then use it to bypass the lab’s authenticatio.
- Access the admin interface and delete the user carlos.
Steps To Reproduce:~#
- Logging in with the credentials provided
- Checking the proxy for collected requests. While checking the requests, we noticed that accessing the account details was done using a GET request.
- Changing the request to TRACE, which is used for diagnostic purposes. In the response, we saw a header called X-Custom-IP-Authorization that contain our ip address.
- Looking what the header mean on google.
- Knowing what the header means, we changed our request method and path to GET /admin, added the X-Custom-IP-Authorization header with our IP address as the value. We received a 401 status code in response.
- This means we need to change the value of the header so that the request appears to come from the localhost IP address.
- Bingo! We accessed the admin page, and by checking the response, we found the path to delete the user “carlos.
- That’s it, hackerman—lab solved!
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!