Header Based Login Bypass

1:06 PM


This is an unusual type of attack I discovered while doing a pentest today, this is possibly found in almost every PHP code I have written, and almost 50% of the sites I tested on, it is occurred in a very unpredictable place, the header(“Location: redirect”) header in php, it is occurred because the page redirects the visitor to another page by returning an HTTP status code of 301/302 after requesting a page that needs to be authenticated to get access into, but we can manipulate our browser not to receive Redirection codes using an HTTP Editor or Firefox’s NoRedirect Plugin


Example

<?php
If(isset($_SESSION[“admin”]){
                header(“Location: admin.php”);
}
<!—Administration Center -- >



The script is incorrect bcause the script is not terminated after the “header()” line. An attacker can access the content of the administration page by using an HTTP client that doesn’t follow redirection and can create an authentication bypass vulnerability
The correct code should’ve been


<?php
If(isset($_SESSION[“admin”]){
                header(“Location: admin.php”);
                exit();
}
<!—Administration Center -- >
?>

And the code I was working on contain the following code,

<?php 
function redirect($url,$msg_type=false,$msg=false,$type=false){
                                if($msg and $msg_type and $type)
                                                add_message($msg_type,$msg,$type);
                                Header("location:".$url);
                }
//creates new token
                create_token();
                $isAuth = false;
                if($userData)
                      $isAuth = true;
                else
                      redirect('../' . PAGE_LOGIN);
//… other blah blah

And exploitation was simple as shit, I just installed a simple Firefox plugin called “NoRedirect” then add this line to the list “^http://localhost” which will then block any HTTP based redirection, then I just requested the page… http://localhost/project/index.php and since the redirect() won’t work now…. Just got inside. As this isn’t a very popular technique I decide to share it, Happy Hunting!


You Might Also Like

3 comments

  1. Great Post, Actually PHP is a beautiful source for developing a database driven web application, I love this post, thanks for spending your time for discussing about this topic.
    Regards,
    PHP Training Center in Chennai

    ReplyDelete
  2. So you've concluded that you need to make an enrollment site and get in on the cash making activity. This leads us to our first question.
    TalkTalk login/

    ReplyDelete