Authentication bypass via information disclosure
Let's login using the following credentials:
Username | Password |
---|---|
wiener | peter |
Once we have logged in, we can try to access the /admin
page.
As we can see the admin panel is only accessible to local users.
Since we are proxying the request through Burp Suite, we will be able to see the request in the Proxy > HTTP History
tab.
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, let's modify the method to TRACE and send the request.
In the response, the returns contains the X-Custom-IP-Authorization
header which is set to our IP address.
Let's go into the Proxy settings
tab.
Next we have to scroll down to Match and Replace
and click Add
.
Inside the Replace
field, paste the following:
X-Custom-IP-Authorization: 127.0.0.1
This header will now be added to every request that we send. Therefore, we will be treated as local users and will have access to the admin panel.
Let's go inside and delete the carlos
user.
We have solved the lab.