Self Notes: Web Security Academy HTTP Request Smuggling Lab 6

Link to Lab 6

This Lab shows a bit of promise of fun. The task is to exploit a CL-TE request smuggling vulnerability to bypass the Front-end Server Access control to the admin panel, the front end server doesn't support chunked encoding. Access to login endpoint:


As seen above the login endpoint is accessible without any restriction. But an attempt to admin endpoint:


well, it seems we can't access the admin panel, maybe not. Interestingly we have this endpoint to our rescue:


we have already been informed that the server pair is vulnerable to CL-TE request smuggling, let's craft the exploit:


 the above request poison the Back-end server such that the next request will be routed to "/admin". Let's request the "/login" endpoint:


The Back-end server responded with 401 Not authorized, I guess not so fast, let render the full response:


I believe the Back-end server is very clear about what it expects from us, it expects that we either login as Administrator to access the Back-end admin interface or access from the internal network. To be honest, this took me a while to figure, at first, my assumption was that the Front-end server appends an HTTP Header to our request to indicate whether the request was coming from the internal network or the internet, as such I spent hours trying to figure out a way to get the output of the request sent to the Back-end server from the Front-end server in hope of finding the Headers added to our request. Well, to my disappointment nothing was appended to my request before it is sent to the Back-end server, it wasn't all a lost cause though, I discovered something along the way which is another topic for another post. After a few tests, I discovered that the Back-end server only checks if the Host is localhost to confirm you are coming from the internal network, while the Front-end server checks if your host Header matches a valid session before forwarding the request. So this request will get your past the Front-end Server:


The 'GET' request is smuggled past the Front-end server when this request is sent. Response from the server when the request is sent:


The Back-end server doesn't complain of the smuggled request, let's see what happens when a normal request is sent to the server:


We send a normal request to the login endpoint (it could be any endpoint it doesn't matter). Server's response:


It seems we have successfully smuggled our request past the Front-end Server. Now to complete the Lab, deleting the user Carlos:


Making a normal request after sending the above request:


Lab 6 Solved. This lab was really fun.

Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued