The easiest way I used to bypass an admin panel

In this story I’m explaining a vulnerability that I reported to a program in Hackerone, my english is not perfect and its not my mother language so please never mind if I have some problems with the grammar, all I need is you to understand what Im talking about exactly.

A few months ago my friend MoSec recommended me to learn a vulnerability called HTTP Request Smuggling, normally I don’t like to learn about classic vulnerabilities because many people are looking for them.

However I started to learn it and I was testing it on my main target, I have a target that everything I learn new, I will test on it.

The target is a private program so I can’t disclose nothing about it, it has an admin panel which secured with a 0auth proxy panel, I don’t know how is that thing works exactly, but for a non authenticated user here is what you see when you visit https://admin.target.com/

The proxy somehow was recognizing the unauthenticated user, then requiring the user to login with google.

I knew thats a proxy panel, you may find yourself logged in if you bypass the page that requires you to login with google.

I tested my learned HTTP request smuggling skills on that endpoint to bypass the proxy panel, here is an example of the http request I sent to the admin panel:

This http request actually sends a multiple http request by one request, the http response will contains 2 responses at one response, theres nothing wrong with that and its an HTTP feature, just focus on the second request that I have not used any User-Agent headers.

The http request was actually HTTP/2 but I converted it to HTTP/1.1, when you see this request you may say what a trash request, especially if you know that’s not a correct way to exploit HTTP request smuggling, but when I saw the http response its shocked me because the panel that was requiring me to login with google it disappeared and I saw another login panel which same as normal users login panel.

I reported the vulnerability to the program, reviewed the program policy If you reach a normal login panel please let us know on the admin panel they are telling and that’s what exactly I did.

I have reported the vulnerability to the program with a title HTTP request smuggling leads to bypass admin panel proxy panel , they triaged the report in less than 10 minutes, updated the severity to critical and I was staring at the report because I was shocked why is that a critical issue.

Then one of the program triagers responded and told me actually if I was logged in to the normal admin panel login with my normal user credentials that created on www.target.com for my own account, I was able to act as admin by logging in to the admin panel, I was able to modify everything for the website and thats why they updated the severity to critical.

After a minutes later they told me actually the admin panel is actually not bypassed because my junk http request, the admin panel is bypassed because I didn’t use any User-Agent http headers, and the http request I used as poc is totally different thing, actually the attacker is able to bypass the proxy panel by only removing its User-Agent header and I was like WTF is going on?

Whatever, here is the HTTP request to exploit the vulnerability:

And you should see the normal website login page in admins login endpoint, also removed the proxy login page that requires logging with google.

The vulnerability resolved and 4 digit bounty awarded in only 1 hour, the program was awesome and they really appreciated me, and I appreciating my friend MoSec for suggesting me to learn HTTP request smuggling, the vulnerability wasn’t http request smuggling but I found it by testing this vulnerability type.

Some times you looking for a gate, you may not find it but you find another gate by looking for the first gate.

I hope you all liked the weird story, here you can follow my twitter if you want to read more stories: https://twitter.com/siratsami71

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store