PortSwigger's "Authentication bypass via information disclosure" Walkthrough

This is the fourth of five “information disclosure” labs from Portswigger Academy.

Before we get started, you’ll need a Portswigger Academy account. You’ll also need Burp Suite set up. Log in and then view the lab at https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass. This is accessible from the “all labs” view.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

This lab asks us to find and access the admin interface to delete an account. We’re told that there’s a custom HTTP header that is used but we don’t know about. We get a set of login credentials as well, wiener:peter.

The website is a shopping site:

We can login using the provided credentials:

But this doesn’t really get us much:

The URL for this page (if you click My Account) is https://<random-string>.web-security-academy.net/my-account?id=wiener. If you try changing the id value, you get logged out.

Finding the Admin interface

The challenge description says we have to find an administrative interface. There’s nothing interesting in the HTML comments of the pages we know about, and there’s nothing in robots.txt either.

If we take a guess that the interface is at /admin:

This is something that could also be found with a web scanner like dirb, although scanning might be discouraged for labs such as these.

The message is that the admin interface is only accessible to “local users”. In a writeup for Natas from OverTheWire, a similar challenge made use of standard headers such as X-Forwarded-For and Referer, set to values such as localhost or 127.0.0.1. Different variations of this were tested out without any luck.

Remember that the challenge description mentions a custom authorization header, so standard headers won’t help. We need a way to discover what header is in use.

Discovering the custom header

One of the information disclosure types documented on PortSwigger’s website is the HTTP TRACE method. This description, with the highlighted part in particular, seems to describe our situation:

Similar to GET or POST, TRACE is another HTTP method. We can also use curl to make a TRACE request, but this blog post will show how to use Burp Suite. If you haven’t already done so, check out this post to get it set up.

With Burp Suite open and the proxy running, visit https://<random-string>.web-security-academy.net/admin again.

Then in Burp Suite’s Proxy > HTTP History view, right-click the request and Send to Repeater:

Then in the Repeater view, change the GET method to TRACE (shown highlighted below):

Send the request, and you should get a response like this back, where the last line is a custom X-Custom-IP-Authorization header showing your IP address.

Presumably, the webserver is using a reverse proxy or other method of appending this header to requests, such that a users locality can be determined (and the admin interface can be limited to local users only).

If we try to use this header with value 127.0.0.1 (localhost doesn’t work, which makes sense because the server is likely expecting an IP address), and also switch the method type back to GET:

We see that this worked and tricked the webserver into thinking we’re accessing it locally. Burp Suite typically shows responses in plain HTML format by default, but the above screenshot was switched to the Render tab to make the response more obvious.

Lab Solution

From here, it’s clear how to delete Carlos’ account to pass the lab, based on the endpoint shown in HTML:

We can either make our own (manually edited) request in the Repeater to delete his account (with our special header still included):

Or we can go into the Proxy > Options tab, and add a custom header. This will allow us to browse normally with the special header added, such that we don’t have to manually edit requests.

Click “Add” and then make a new rule for a Request Header with “Replace” value X-Custom-IP-Authorization: 127.0.0.1. You can leave the “Match” value empty, as this is a missing header that we will always have to add in, rather than a header that already exists and needs changing:

Hit OK, then reload the page in your browser:

You should now be able to delete Carlos’ account, and solve the lab.