Sunday, August 13, 2017

Accidentally typo to bypass administration access

A new post from me to kill some times.

This was from an old invited private program in one of the bugbounty platform. This program offers $15,000 in total. There were several targets given, but most of them were limited in term of functionalities and forms.

One of the application in scope attracted me as it responded differently if viewed in a different browser's platform. Which means, you will only allowed to access their mobile site if the application detected your user agent is coming from Mobile. This application just consist of few functionalities such as
  • query for available *item*
  • view for available schedule
  • information of the certain *item*
  • no login
Based on the above functionalities, this seems like a common website that provides with a general information of their product/items. I spent few days looking on their Desktop Website and found few XSS. Looking at the source page of the website, I've noticed there's a script that contain a hyperlink to a mobile site. It looks something like below:
 <script type="text/javascript">
   var attr = "href";
   var value = "/mobileapps";
   elem.setAttribute(attr, value);
</script>
However, I was not able to access it directly using Desktop browser. I tried to change my user agent into Android's string, it worked!

Now I'm in their mobile site. Found another few XSS. Good. Considering the current findings, I'm probably will be rewarded up to $2000 in total. Good enough. But then, something is bothering me where from my Burp's request, there's a 302 redirect response whenever the Burp's Spider tried to access /admin path. Weird. I tried to check if there's any JS files that I can use to bypass this thing as what I did like in my previous blogpost.

No success. sadpanda.

But then, during the testing I've mistakenly typo'ed the /admin into /Admin (This happen regularly since using Macbook. The keyboard quite small for my finger's size)
To the surprise, due to that typo, I was able to access into the administration page. What a magic. It seems there was a weak configuration at their backend which only restrict access for /admin BUT not if the word contain at least one capital letter. /Admin, /aDmin/, /ADMIN all of these words can be used to bypass the check.

Now I'm in administration page. There were lots of functionalities inside and ALL of them were vulnerable. Reflected and Stored XSS, SQLi, CSRF, and etc. Submitted all of them. Out of $15000, 70% was mine :)

Lessons:
  1.  Do not forget to test in mobile environment 
  2.  Do not forget to test target's mobile site
  3.  Do not give up if the application looks really simple, there's probably a hidden administration page in it
  4.  Look on the application's response. If weird, try to bypass.
Till next time.
Cheers.