Bypassing 403s like a PRO! ($2,100): Broken Access control

Hello hunters, hope you’re doing well, and apologies for the huge gap in posting articles.

This article highlights my way of dealing with 403s and how I managed to get a P1 in minutes!😍

Excited to share this story with you all. Let’s get started!😁

Let's Begin

A Broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems.

You might have observed that for sensitive endpoints such as .htaccess, config.php, etc., the server usually returns a 403 forbidden response. But what does that mean?

According to the Mozilla documentation, The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.

BUT, If the access control mechanism applied is weak, an attacker can bypass the security controls and access the restricted resource

About the application:

The Web application is an IOT service delivery platform and offers a variety of IOT-related services. As usual, I begin my directory enumeration with the dirbuster wordlists and find a /console endpoint which returns a 403 response.

The /console endpoint is our further lead. Let’s move ahead with the bypass techniques.

Ways to bypass 403 endpoints:

Bypassing 403 includes multiple ways such as HTTP verbs/methods fuzzing, HTTP headers fuzzing, Path fuzzing, etc. However, we will focus on the path fuzzing technique.

Path fuzzing:

If /path is blocked:

Try using . or %2e: /%2e/path
(if the access is blocked by a proxy, this could bypass the protection). Try also /%252e/path (double URL encode)

Try Unicode bypass: /%ef%bc%8fpath
(The URL encoded chars are like “/”) so when encoded back it will be //path and maybe you will have already bypassed the /path name check

Other path bypasses:

site.com/secret –> HTTP 403 Forbidden
site.com/SECRET –> HTTP 200 OK
site.com/secret/ –> HTTP 200 OK
site.com/secret/. –> HTTP 200 OK
site.com//secret// –> HTTP 200 OK
site.com/./secret/.. –> HTTP 200 OK
site.com/;/secret –> HTTP 200 OK
site.com/.;/secret –> HTTP 200 OK
site.com//;//secret –> HTTP 200 OK
site.com/secret.json –> HTTP 200 OK (ruby)

I prefer using the 403 Bypasser Burp extension by Gil Nothmann to automate the bypass techniques.

What worked for me?

Using Burp, I captured the GET request to the /console endpoint and sent the request to the 403 Bypasser burp extension. The extension worked like a charm and provided me with the results.

Usage of a . (dot) or %2e in the URL path (/%2e/console) allowed me to bypass the access control check and gave me access to the Internal system console manager.

I quickly added rules in Burp to prepend every necessary request with /%2e/ so that I can browse through the console manager conveniently.

The console manager revealed very sensitive component data including build details, OS details, and user details, and also provided a CLI component for code execution.

Conclusion:

The submission was triaged quickly and categorized as a P1. I was later rewarded with a $2,100 bounty.

That’s all for this article, I hope you guys enjoyed this form of learning ❤

Stay Safe 🤗

Follow my Instagram Creator account for more Bug Bounty & Ethical Hacking related content: https://www.instagram.com/shrirangdiwakar/ 😇

My LinkedIn: www.linkedin.com/in/shrirangdiwakar 🥰

Shower your love with the claps & share this with your friends ❣