bolus Posted June 15, 2018 Share Posted June 15, 2018 I've got a page where the content access is restricted by a username/password combination. It's not credentials where the user has to register for, it's just set on the server where all content is publicly accessible, apart from this page. I've found that I can access this by changing the header host value (via burp) Original: GET /content HTTP/1.1 host: site.com which returns HTTP 401 authorization required I change the header details to: GET /content HTTP/1.1 host: evil.com then I can access the requested page. I kinda stumbled across this, and would like to learn more about it - any advice as to what this type of vulnerability is called, and why it happens? I *think* that it's happening due to the validation only working when the request comes from the host domain, but would like confirmation of this. Cheers Quote Link to comment Share on other sites More sharing options...
digininja Posted June 15, 2018 Share Posted June 15, 2018 Sounds like they've just messed up their vhost configuration and the authentication is only checking on the site.com vhost but the server returns the same content regardless of whatever vhost is requested. 1 Quote Link to comment Share on other sites More sharing options...
bolus Posted June 15, 2018 Author Share Posted June 15, 2018 Thanks @digininja, appreciate the quick response. confirms one of my theories Quote Link to comment Share on other sites More sharing options...
digininja Posted June 15, 2018 Share Posted June 15, 2018 The weirdest one like that I've seen was you could put a . in front of the domain name the requests bypassed authentication, ie https://.hak5.org would bypass things, https://hak5.org would get restricted. Didn't work with any other messing with the host or domain so I suspect a slightly broken regular expression somewhere but could never prove it. Quote Link to comment Share on other sites More sharing options...
r3plic4tor Posted June 15, 2018 Share Posted June 15, 2018 A poorly configured 'input validation' control for that URL. Rule 3 should remove any quotation remarks within the input! Quote Link to comment Share on other sites More sharing options...
digininja Posted June 15, 2018 Share Posted June 15, 2018 What are you talking about? No one mentioned quotes and what is rule 3? Quote Link to comment Share on other sites More sharing options...
r3plic4tor Posted June 15, 2018 Share Posted June 15, 2018 (edited) Hehe, comes after rule 2 ?......soz my bad, punctuation marks included! Come on Dig, you know your core defense mech's on input validation. 1. Strip any <script> expressions that appear. 2. Truncate the input to 50 characters. 3. Remove any quotation/punctuation marks within the input. 4. URL-decode the input. 5. If any items were deleted, return to step 1. Edited June 15, 2018 by r3plic4tor Quote Link to comment Share on other sites More sharing options...
digininja Posted June 15, 2018 Share Posted June 15, 2018 That has absolutely nothing to do with the original question which was about failure to correctly check authenticated. I would disagree with them even if we were talking about input validation. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.