The Art of Authentication Bypass

how are you all i hope everyone is back are you ready for the next session say yes yes that's the energy that's the energy all right okay so um how many bug hunters in the club wow nice okay all right then uh the the upcoming session uh which is authentication bypass uh which is a part of OASP top 10 which uh falls under uh the seventh category uh we are going to discuss about this and getting like diving deeper into authentication bypass uh we have uh uh we have Abdullah with uh uh uh Twitter name goes with hacker 007 all right so your it's your stage now good evening everyone i'm glad to be here with you all in such a great

conference that g all of us here today and in that context I would like thank all the colonizer who give this conference chance to be Let's start i would be happy to start my busation which is as you can see the art of authentication my bus first let me introduce myself i'm Abdal Muhammad known as Hakal X007 by the way I never watched any gym spawn movie it's just a name bug crowd top 50 uh B1 warrior rank top 10 with more than 200 B1 inbug crowd hakar cup winner 2022 2023 and hair of frame of a lot of companies like Meta Melo and X today we are going to talk about six topic six method about authentication by

Bass the first topic would be authentication B via Bulimation authentication by Bass VM reduction handling authentication by Bass via cross subdomain cookie reuse and authentication by B via by passing registration restriction last but not least deep dive into authentication as control vulnerabilities in ASMx and CVC U scan for bug bounty hunter finding authentication my bus all of these topics and scenario and bugs I will show you bugs uh example of these bugs uh I found during my bug bounty journey so let's start with authentication B vulation it was one of strangest bug I ever found and it was one of the most enjoyable one in short way what is bathroom relation I will make it so

simple access to protected inbound by appending nonprotected ink point for them let's start with example during my test in bug bounty app I found an inbound called config user when you open it's redirect you again to browser you again to login aspx as you can see here sending a get request to config user the respond is 3012 two and it redirect us to login page again [Music] so an idea came to my mind why I wouldn't try like config user aspvx/lospx and to my surprise this work it was a weird idea but it's still working as you can see in the request config userbx which the config user is a protected endpoint as you saw in the

previous picture it's not allowing us to access it to direct us to login page but when I admin didn't login aspx to this endpoint as you can see in the respond the respond now change to two and it's okay with the content as you can see in the uh HTML respond the center user that I mean the page is working also you can see in the request get request there are no cookie information or any session [Music] information this led to full authentication by bus give me all the access as admin to all other endpoints example admin to DSB [Music] Uh this just was just a front end access or front end by pass no I was able to

list all the user in the application and even add delete edit user with full admin leverage this unusual yet critical B1 with 8K in bounty what we have learned from this always trust your thought even it was weird thought always try to nonprotected inbound/protected inbound or the reverse protected inbound appending them to nonprotected [Music] inbound second we have a method we call authentication web via ambu reduction handling it's easy bug to find and still exist in you can get a great bounty with a huge amount let's start by defining what is imbuual reduction handling it's a bug where the web application mismanage your redirection by action by processing or delivering sensitive content and action before checking for

user authentication which can lead to unauthorized access or sensitive data exposed in short way and simple way sending in request to protected inpoint or sending most request to protected inbound you can see the content of this protected inbound or the post function you have sent have succeeds then the authentication process will start and redirect you again to login page but it's too late since we have already seen the content or our boss function have succeeded before [Music] direction so one example why I was working in admin target.com I found an int mode called admin/ login reading javascript file in this login.bx ASBX i found two end ones mini ASBX and a user ASBX opening mini

SBX using the browser it deduct me again to login page but I'll has a different story to [Music] tell sending main.tsbx to the middle as a get request and send the request from there i noticed the respond have unusual large content length much larger than the expected or typical redirect respond as you can see here sending get request domain.bs PS spx the response is 302 which redirect us and you can see the location header redirect us to login page and also you can notice the HTML code which redirect us again to login page but if you take a good look at the content length header you can notice it's high it's much larger than normal

respond also you can notice in the respond there was the content of the main ESBX [Music] in so using bar match and bl Using B inspect element I was able to change 302 by changing 302 to 200 removing the location header removing the HTML code reduction I was able to achieve full authentication by bus fully functional and not just the front end using the same steps and add user aspx using the same steps above I was able to access the add user spx and from the inpoint nome you can name you can know it's for adding an admin account to the ban so sending request for admin.psvx i was able to see all the function all the

form in this endpoint as HTML and I was able to make an post request for this inpoint to add user of course I can keep all keep testing all other ends points like admin.bsx or any other endbone same the using the same steps but adding a user account would made made this thing much easier for us and will expand our attack surface so we are back again after adding a user request in the post boss request to add user spx I was able to add an admin account into the panel after making an admin account to the banel login and I found an inborn to run Microsoft SQL command query for my luck the XBCMD shell was enabled which gave

me directly RC as you can see in this picture executing who I am command using XBC cmd shell on Microsoft SQL service and the respond of it easy bug but it's still worth 35k what we have learned from this when you open a protected inbound that redirect you again to login page try to send it to and see the respond from there when you are when you found an authentication by bus to any report it and ask the owner to escalate the impact that just don't stop an authentication by bus bug because bugs like RC for example can significantly increase your bounty so we have another uh third part I call it uh bypass via authentication

by bus via cross subdomain cookie reuse let's start by defining what is this it's a bug where the cookie from subdomain are misused in other subdomain that allowing potential access to sensitive area that this cookie was not meant for for simplicity let's take example as bugclouds support.com i was working in this subdomain i found a senium for third service hosted in bugcloud support.support.com you should remember this senior let's say provide a support bin for various customers for example let's say bug cloud twitter at allowing their clients submit support tokate directly to the support team so this third terability by default not allowing a new registration new user to register an account it have function called as request access function this

function work by sending a request a form that you put your email on it and the admin should approve this request and this uh request access function is uh default sitting in this third panel but their declination says that you can change this request access to full registration but unfortunately for me bug clouds support.sup.com which was our target is using the default setting so using some Google docs like as you can see I found another customer let's assume it's Twitter a Twitter allowing registration unlikely the default setting that our target use which is requesting access after full registration and twitter.subo.com com i was uh I was able to login and I read some GS file i found an AI called

get uh called as AI/Good admin configuration and from this AI name you can know what the point of it so trying the access to this endpoint in Twitter back again Twitter that's uh not our target it's a customer that allowing registration so tying the endpoint in Twitter I was able to access to this API call and I was able to view all admin settings and even passwords it's broken access control vulnerabilities since you are just a normal user you don't have admin privilege to access this inbound so since my target was bugs.com I tried to access the same inpoint i thought it's maybe require no authentication to access this inpoint i tried to access but I received

unauthorized 401 so back to Twitter where we have created account and made account i notice any AI call get from Twitter to support.com it requires authentication cookie called supportthub with a random value [Music] so out of curiosity I asked myself why I would identify this same cookie and the same value in AI request that we working in our target like bugcloud.sup support.sup.com com ABI get admin configuration by just copying this cookie and this value of this cookie and put it in the request and to my surprise the 401 it's now two with a different admin password and different admin settings which indicate and mean that with data we get from bug bugloud support.com was the target not

for uh was a data for this target not for Twitter since we have a different password and setting that mean The authentication cookie we get from twitter.support.com was valid for any EBI call on our target which is bugcloud.support.com in short way if we found a customer that allowing registration and your target was not allowing registration have function called request access we can make an account on that customer that allowing registration take the cookies value and the cookie name authentication cookie and put it for an API call in our target which was a subdomain on support.com and that worked it easy trick simple trick but it cost much as 15k in [Music] bounty what we have learned from this

from this part when you are targeting and subdomain that operate in third I try to search for other customer using the third party and in the other customer try to see what function available for them and not available for your target especially function when it come to session management or authentication take this function and test it test them in your target if one sub if you have two subdomains and they are using the same app one subdomain allowing registration and the other subdomain not allowing registration try to make an account on that subdomain that already uh allowing registration and take the cookie h or the take the authentication header or cookie or any something rel to authentication and try

to for to access AI codes in that [Music] subdomain by the way it was uh zero day we found me and Olwa in third party next we have authentication by bus via bypassing registration restriction it's similar to WS bug but it have just a sec it have uh a critical object we must consider let's say our target was targeted com target using Google Docs i found an uh third uh found an uh third yes that our target used as target.com testing in this third I found an inborn to create an account account/create but it been has been disabled by bearb and not uh working anymore using Google dos like site at thirdability.com I found another

customer let's assume it's buggy cloud bug cloud was using the third but the different thing was the bug cloud allowing registration as you can see in the in the next page as you can see in this picture our target registration page was just empty has been disabled and bcloud.com account create was fully working registration page so what I did using the registration request make my b on and full for the information in target uh bugcloud third.com which is allowing registration take this request and into my beta and just I change the host header to target the [Music] third.com after sending the request it's work since the email uh valation you just use uh your own email I registered

with my email and I received an email verication from our target After verifying it and login again I was able to access this panel as you can see here there are lots of ins but as a hacker the first thing you will try to access the user's inbound anyone can do this so accessing the user's inbound I received 401 and analyzed so an idea just came to my mind since this just meant for this target why I wouldn't change my email to like hacker x0007@target.com also there was a problem that if you change your email after registration there are no uh email verification so you can put any email you want to so I change my email to

hackle x007@target.com and after this I log out and login again and and try to access the same same endpoint which is was users and for my luck it's working I can access to all the function in the banel including adding deleting edit uh users as you can see in this picture what we have learned from this similar to the us bug test the other customer that use the same herability that your customer are using see what function available for them not available for You take this request for this function and send it to the beater change any require header you should change like host header referral CSL token and see maybe this function would be work in your

target fourth last but not least we have a deep dive into authentication and access control vulnerabilities in ASMx and CVC first how many bug bounty hunter found an SMS and CVC in bug bounty a you can find a lot of SMX and CVC during your test mo most of most of hunters they just skip this inborn SMX and CVC but it have a critical impact in the application let's start what SMX and CVC they are web server technology using inn net smx used for so simple web service and CVC about WS support multiple proto communication protocol so why you should never overlook or miss CVC and SMS during your bug bounty hunting approximately 95 of the SVC and SMX in

point I found during my test that have uh require no authentication the whole SMX page require no authentication or have some operation a critical operation let's say uh that don't need any authentication to platform this operation this lack of measures can lead to different type of vulnerabilities a critical one like PIIDO broken access control SQL injection and local file as we will see the next pictures so how and where to find is some max and services endpoint when you are working in the net app try to read the javascript file or any app or not just net try to read the gs file good use extension like bgs linkfinder and use gap also use google and b docs it was so useful for

us and as well as the site that catch urls like web achieve url scan and pal total so you can sometime find ASMX and CVC input see by fuzzing and this is the most important thing always when you are working on net apps try to fuz for extension like ASMx and CVC always fuz for batch like try to search for this batch for example web service also we have service like admin service uh manager service etc subdomain service like if you have uh manager.target.com manager is the subdomain name try manager service or manager web service app name service like if you have manager.target.com and have app name or bath called center try center service center web service or you can also try

in the this batch like center/enter web service and center service so let's say you found one of this batch and you trying to access the SMS and CVC endpoint on it you can fuz as I told you before uh when you are working on net apps try to fuzz for SMS and CVC extension try also to fuzz like fuzz service or CVC try app names smx or cvc also try subdomains smx or cvc or you can try app name service cvc subdomain service smx cvc so you find an inbound of asmx or cvc how to use it i recommend you to use sobi it's easy tool to use and it's free as you can see use it with WSDL as a

parameter this will list all operation in the app as you can see in this picture you can put any project name and you put the WSDL endpoint as a [Music] parameter so after this this will list all the operation in uh this uh inpoint is max and CBC as you can see here the first uh operation called active achieve key active key active permission active user and each operation take parameters for example in the request here we have an operation called download file request and it take complete file batch of course all of you know how this endpoint will end i will talk about this endpoint especially this operation later you have a different choice to use

baba most of Asmax and CVC in inbound give you a list of operation to use directly as you can see here if you click in any operation you can get the request of this operation commit and send it to the B repeater and uh put the value of the limit as you want to test some bugs using SMX and CBC what you can find here as you can see I talked about this operation it's called download file request it take a parameter called complete file batch path i try to access first thing is web config especially when you are trying to testing ASBN net or uh Microsoft apps you first thing try to access is the web config because you

can get RC from this file so anyway I tried to access web config and respond as you can see here was B 64 most of local file inclusion I found in SPX especially SMX and CVC was uh the respawn of this file was just encoded as B 64 so decoding the B64 I was able to see all the content of this web config which led to us using the machine key with all we will talk about SQL injection for example this endpoint uh have this operation have an uh parameter called SQL and this parameter was directly run Oracle SQL command to service to server as you can see here SQL query And the [Music] respond also you can fe find PII and

this input for example we have an operation called get user and from this operation name you can know what the function of it sending a request using this operation the respond was there as you can see it have a lot of sensitive information for all user including their email as you can see in the picture also username passwords and uh emails also you can find a lot of other vulnerabilities like RC i found an RC using a lot of RC using SMX and CVC but it's much different than normal RC uh I found uh an endpoint SMAX that have operation called create file in the create file this operation allow you to create file in the server directly and

it take just three parameters the first parameter I take like complete file file batch of this uh uh file when you when where you want to put your file and it's also have file name you can name your file and it have also the third parameter called file content so uh I tried to uh make an uh shell for for example the file name was uh huckle x 0007 aspx and the file content in asmx and cvc endpoint it have a lot it have important note that most of them it take the f file value or file content as base 64 so you should decode it uh encode it as B 64 for example your SBX shell and

after this after the encoded as B 64 you can put it in the file content [Music] parameter what we have learned from this never ever miss and CC is bond it's a trigger for bugs also try to check all the operation in these inbounds some operation might require authentication but I as I told you some other operation are critical oper operation that require no authentication also when you are working as spet application make your best to search for these endpoints as we the using the method we have discussed especially the fuzzing [Music] methods last we have uh URL scan for back bounty hunter finding authentication bypass vulnerabilities let's start by what is URL scan url scan is a powerful scanner

technology that allow the security and risk management to analyze and understand about URL unfortunately most of scans on URL scanned are public making them a double edged by allowing anyone to view this scans as bounty hunter what I can or what I can accept to find your scan you can find hidden ins that might expose vulnerabilities for example as I said SMS and services in B you can also find an password reset token which can lead to authentication by bus and account token of especially if this uh tokens was for imbu third we have confirmation link registration that on subdomain that not typically open for public registration and this third part we will talk about as an example

so uh for for example I was working in admin.target.com I found an inbound for registration called admin registration as you can see I tried first to register with my own personal email when I try to register with my own personal email I get registered it's not accepted except this email as you can see so I try to access and register uh with an company email like hackle x07@target.com the application indicate that it accepted and the mail verification has been sent to this email we have registered but so we don't have any luck to access this email or any other organization email since we don't own them so using URL scan as you can see I

search it for admin target.com and you can see the last URL was taken a parameter called a with a value red mean registration and also you can notice UID in uh value uh number value that mean the UID of the user opening this registration link in the browser I found out the link is still active as you can see here it ask us for the first name and the last name and it show us the email address for this user this email address that the link has sent for also the most important thing it ask us for a password so for the information all the information and put a password I was able to access to this

endpoint uh to this panel and uh with full admin access easy at learn team in bounty we what we have learned from this always search on your scan it's a pleasure especially for account takeover for embulies or uh hidden insborn or any something like this you can find the great stuff in virus total in URL scan also you can use the virus total as well as URL scan for more information in virus total you can see our presentation this if you use the virus total and scan it will expand your attack surface so much here we have some bounties using this method as you can see the first bounty it was 20K in bounty it was using

the by special section the second bounty is the my favorite bug I ever found it was a great and so much critical it was in 30k in bounty as you can see it was authentication by bus which led to RC and more than 1 million account BI disclosure including passwords and was is 30 30k in bounty the last point I have at 25K it was just simple using the SMX NCVC also by the way the 30 point it was using the ambubation instruction uh imbu imbu redirect uh handling okay uh it's easy as I told you it's easy trick that learn me this bounty last word final talk mag might seem hard but it's truly within everyone

reach with a curiosity and a little of bit of effort let's stop in the curiosity world as you saw on all the previous example the curioity was the main reason to finding this bugs without curiosity you can't find it I was just asking myself I should try this I should put this I should try this and all this thought it was weird I didn't accept any of them working especially in bathroomation things all the cooking really used i didn't accept this will uh this will work but I said let's try it and then I'm not losing anything and yes it's work it so anyone can find this bug remember it's not just about the effort

it's about the smart app okay you have got this start exploring and see what you can discover thank you all for your listening I really appreciate your time and attention thank you now I would be happy to hear any questions If anyone have any [Music] question no

question okay i hope all enjoy in this talk thank you again