Authentication Bypass & Privilege Escalation Using Header Manipulation & Cookie Injection

A Way to Bypass Authentication & Gain Admin Privilege Using Login Validation Process Prediction

While researching and working on bug bounties in Feb 2013, I have found a way that Using Header Manipulation & Cookie Injection we can Bypass Authentication and can gain Admin Privilege and using this vulnerability we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can predict the login validation process for any admins account by combinding various techniques and in this way he can also Bypass Authentication of all passwords of all the Admin accounts and can successfully compromise the Admins account as the login validation process is predictable by the attacker.

I tried various techniques to Bypass the Login like Arbitrary Methods Usages, Cookies Manipulation, Status Code Value Modification, Response Code Modification but all these techniques failed so the challenge was to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass the Admin Authentication.

Please Note: There was a precondition that an attacker shall know the admins login email id only. This can be done using forget password or even using login Url itself.

Steps to Execute the Attack:

For login validation process analysis I created 2 test accounts.

1. 1st we will send the login request using our own account attackerloginid@testsite.com with a wrong password while intercepting the response for the wrong password using the below mentioned login link.  

https://testsite.com/user/login

2. Using which I found that if the password is wrong then the server response code is 302 Found, 1st Set-Cookie named remember_email value is null and 2nd Set-Cookie named registration_status value is unregistereduser and the Location header value is as site login page Url https://testsite.com/user/login.

3. Now we will send the login request using our own account attackerloginid@testsite.com with a right password while intercepting the response for the right password using the below mentioned login link.  

https://testsite.com/user/login

4. Using which I found that if the password is right then the server response code is 302 Found, 1st Set-Cookie named remember_email value is attackerloginid@testsite.com and 2nd Set-Cookie named registration_status value is registereduser and the Location header value is as site Dashborad page Url https://testsite.com/user/accounts/dashboard.

5. As now we are able to find the variation between the wrong and right passwords server responses so we know we can Predict the Login Validation Process for the right password for any victims account and also for the Admin account.

So in simple words now the attacker will try to login into the victims account using the login Url and victims user id or login email id which is victimloginid@testsite.com with a wrong password while intercepting the response using any web proxy and he will get the server response code as 302 Found with a 1st Set-Cookie named remember_email with null as value and 2nd Set-Cookie named registration_status with a unregistereduser as value and with the Location header value as site Is User login page Url https://testsite.com/user/login.

So now the attacker will add the 1st Set-Cookie named remember_email with a victimloginid@testsite.com as value and 2nd Set-Cookie named registration_status with a registereduser as value and with the Location header value as site User Dashboard page Url https://testsite.com/user/accounts/dashboard and forward the request using any web proxy, now the attacker successfully logs into the victims account.

Now to Bypass the Admins login Authentication in same way  the attacker will add the 1st Set-Cookie named remember_email with a adminloginid@testsite.com as value and 2nd Set-Cookie named registration_status with a registeredadmin as value and with the Location header value as site Admin Dashboard page Url https://testsite.com/admin/accounts/dashboard and forward the request using any web proxy, now the attacker successfully logs into the Admins account and gains the Admin Privilege.

So in this way we can easily Bypass the Admin Authentication as well an Users Athentication :).

Key Points: registration_status cookie value unregistereduser is for a user with wrong password, registereduser id for a user with right password and registeredadmin is for the admin user with right password.

Attacker's Login ID: attackerloginid@testsite.com

Victim's Login ID: victimloginid@testsite.com

Admin's Login ID: adminloginid@testsite.com

Original Server Response Using Attacker's Account with Wrong Password:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:30:09 GMT
Location: https://testsite.com/user/login
Set-Cookie: remember_email=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=unregistereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive

Original Response Using Attacker's Account with Right Password:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:32:22 GMT
Location: https://testsite.com/user/accounts/dashboard
Set-Cookie: remember_email=attackerloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=registereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive


Modified Response in which the attacker modified Set-Cookie & its Value, Status, Location Header and its Value and Sent it as a Request to Bypass Victims Login:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:35:43 GMT
Location: https://testsite.com/user/accounts/dashboard
Set-Cookie: remember_email=victimloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=registereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive

Modified Response in which the attacker modified Set-Cookie & its Value, Status, Location Header and its Value and Sent it as a Request to Bypass Victims Login:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:40:14 GMT
Location: https://testsite.com/admin/accounts/dashboard
Set-Cookie: remember_email=adminloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=registeredadmin; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive

Impact: 

The Login Validation Process is Predictable using which an attacker can easily compromise Admins account and any other users account of the Application.

Recommendation:  

The Login Validation shall not be dependent on Cookies Values and Location Header values combination and the Privileges shall not be granted on the basis of cookie values. Also the it shall not be dependent on the Client-Side Validation instead proper Server-Side Validation shall be done for the Correct Passwords.

So in this way one can Takeover or Bypass the authentication of Admins account as well as any users victims accounts using the Using Admin Login Validation Process Prediction also this way can be used to find same type of vulnerabilities on many different websites.

Suggestions and Feedbacks are welcome.