Bypassing Security Filters

#web #attacks #https #authentication

The other and more common type of HTTP Verb Tampering vulnerability is caused by Insecure Coding errors made during the development of the web application, which lead to web application not covering all HTTP methods in certain functionalities. This is commonly found in security filters that detect malicious requests. For example, if a security filter was being used to detect injection vulnerabilities and only checked for injections in POST parameters (e.g. $_POST['parameter']), it may be possible to bypass it by simply changing the request method to GET.

Identify

In the File Manager web application, if we try to create a new file name with special characters in its name (e.g. test;), we get the following message:

File Manager interface with a text input for 'New File Name', a 'Reset' button, and a link to 'notes.txt'. Message: 'Malicious Request Denied!'

This message shows that the web application uses certain filters on the back-end to identify injection attempts and then blocks any malicious requests. No matter what we try, the web application properly blocks our requests and is secured against injection attempts. However, we may try an HTTP Verb Tampering attack to see if we can bypass the security filter altogether.

Exploit

To try and exploit this vulnerability, let's intercept the request in Burp Suite (Burp) and then use Change Request Method to change it to another method:

HTTP GET request to 138.68.140.119:31378 with filename parameter 'test%3B' and headers including Host, Cache-Control, User-Agent, and Connection

This time, we did not get the Malicious Request Denied! message, and our file was successfully created:

File Manager with input for 'New File Name', 'Reset' button, and links to 'notes.txt' and 'test'

To confirm whether we bypassed the security filter, we need to attempt exploiting the vulnerability the filter is protecting: a Command Injection vulnerability, in this case. So, we can inject a command that creates two files and then check whether both files were created. To do so, we will use the following file name in our attack (file1; touch file2;):

File Manager with input 'file1; touch file2;', 'Reset' button, and links to 'notes.txt' and 'test'

Then, we can once again change the request method to a GET request:

HTTP GET request to 138.68.140.119:31378 with filename parameter 'file1%3B+touch+file2%3B' and headers including Host, Cache-Control, User-Agent, and Connection

Once we send our request, we see that this time both file1 and file2 were created:

File Manager with input for 'New File Name', 'Reset' button, and links to 'file2', 'notes.txt', 'test', and 'file1'

This shows that we successfully bypassed the filter through an HTTP Verb Tampering vulnerability and achieved command injection. Without the HTTP Verb Tampering vulnerability, the web application may have been secure against Command Injection attacks, and this vulnerability allowed us to bypass the filters in place altogether.

Exercise

TARGET: 154.57.164.65:32130

Challenge 1

To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

Hint: See which HTTP method the injection filter is using, and try to use a different one.

We are basically given this challenge. Lets start by checking which HTTP method the injection filter uses. To do this I will first input the same given payload without intercepting the request:
02 - Areas/HackTheBox/HTB Academy/Bug Bounty Hunter/15. Web Attacks/Visual Aids/image-4.png
The request looks like this in Burp:
image-5.png
To proceed we just need to turn Burp Intruder on and repeat the same request by hitting Enter when having pasted the payload in the input field. This will allow us to edit the request and change the HTTP method:
image-6.png
Right-click on the request section and select Change request method, to simply change the HTTP request from a GET request to a POST request with a filename parameter:
image-8.png
The request now looks like this:

POST /index.php HTTP/1.1
Host: 154.57.164.65:32130
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://154.57.164.65:32130/index.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

filename=file%3B+cp+%2Fflag.txt+.%2F

Click Forward to transfer the request and see what happens:
image-9.png

Go ahead and Forward the above GET /index.php request with no change, then look at what appears on the browser:
image-10.png

To retrieve the flag just click on the flag.txt file link:
image-11.png

flag: HTB