Access to staging environment via User-Agent string

Yasser Gersy
Oct 9, 2018 · 4 min read


This article demonstrates a Authentication bypass using special User-Agent string.

Disclosing something that helped me to access stage environment in a company which may help other people in their penetration testing.

Unfortunately the program does not allow any public disclosure , so it will be redacted. And we will call it Redigido

Like many , i do recon on everything , After downloading Redigido APk file .


Collecting the program assets and found that it has an android application , I tried to use a new technique , i extracted the APK file , and using dex2jar , decompiled the dex files to Jar , finally i extracted the jar files again.

I do not know why i did that?

I ended up having a folder containing a dozens of files with disk space = 160 Mbs.

I used my own tool to fetch these files for something interesting .

The tool reads all files, split lines and looks for any string matches email / url / secret/password/key/token/access according to the default configuration.

After the tool finished , i noticed credentials are leaked in a url.

Navigating to `` , the browser failed to reach . the subdomain is not resolvable .

I got an idea, I resolved their main website ip address and edited my hosts file with the following :

Suppose x.x.x.x is one of their IP addresses


Refreshing the browser , their server accepted the request.

WOW , i reached the stage but it’s protected with Basic Authentication.

Submitting the leaked credentials , the authentication failed , i guessed that may someone found that before me and the developer had to change his password , so i tried to bruteforce the new password and Failed.

I tried to find any thing that has no authentication , requesting /robots.txt also required basic authentication.

I picked up the request and changed the Host header to, and the response was from the main website , tried the stage and failed again.

for any requested resource if the host header is equal to the server will respond with Restricted Authentication Required

have no other plans, giving up now.

i installed the apk on my machine and started using the application , i noticed that HTTP requests are using http:// What? the website is upgrading HTTP connections and it also has STS http header set , which means all HTTP requests must use HTTPS

I picked up a request and started looking why HTTP is not upgraded to HTTPS? ,After fuzzing all parts of the requests , i found The User-Agentis the key , the android application is using User-Agent string containing the company name User-Agent: and the server side accepts any connection containing this user-agent regardless the scheme.

Let’s spoof the user-agent , i opened firefox and edited my user-agent :


Navigated to

And boom :D

Welcome Back .

Got access to stage by resolving host name and using crafted user-agent string.


  • Doing recon for all assets , Getting a large list of subdomains , reverse engineering android apk , Resolving offline hosts /internal host names , Comparing mobile requests with Desktop ones , Using ANdroid application user-agent to access stage .


  • Do recon as much as you can
  • Resolve unreachable Hosts manually using the ip address of the main website.
  • Try Accessing as Android User-Agent and different user-agents.
  • try to use everything you get

Good Luck

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store