Lab: Authentication bypass via encryption oracle
This lab contains a logic flaw that exposes an encryption oracle to users. To solve the lab, exploit this flaw to gain access to the admin panel and delete Carlos.
You can log in to your own account using the following credentials:
Log in with the "Stay logged in" option enabled and post a comment. Study the corresponding requests and responses using Burp's manual testing tools. Observe that the
stay-logged-incookie is encrypted.
Notice that when you try and submit a comment using an invalid email address, the response sets an encrypted
notificationcookie before redirecting you to the blog post.
Notice that the error message reflects your input from the
Invalid email address: your-invalid-email
Deduce that this must be decrypted from the
notificationcookie. Send the
POST /post/commentand the subsequent
GET /post?postId=xrequest (containing the notification cookie) to Burp Repeater.
In Repeater, observe that you can use the
POSTrequest to encrypt arbitrary data and reflect the corresponding ciphertext in the
Set-Cookieheader. Likewise, you can use the
notificationcookie in the
GETrequest to decrypt arbitrary ciphertext and reflect the output in the error message. For simplicity, double-click the tab for each request and rename the tabs
In the decrypt request, copy your
stay-logged-incookie and paste it into the
notificationcookie. Send the request. Instead of the error message, the response now contains the decrypted
stay-logged-incookie, for example:
This reveals that the cookie should be in the format
username:timestamp. Copy the timestamp to your clipboard.
Go to the encrypt request and change the email parameter to
administrator:your-timestamp. Send the request and then copy the new
notificationcookie from the response.
Decrypt this new cookie and observe that the 23-character "
Invalid email address:" prefix is automatically added to any value you pass in using the
notificationcookie to Burp Decoder.
- In Decoder, URL-decode and Base64-decode the cookie. Select the "Hex" view, then right-click on the first byte in the data. Select "Delete bytes" and delete 23 bytes.
Re-encode the data and copy the result into the
notificationcookie of the decrypt request. When you send the request, observe that an error message indicates that a block-based encryption algorithm is used and that the input length must be a multiple of 16. You need to pad the "
Invalid email address:" prefix with enough bytes so that the number of bytes you will remove is a multiple of 16.
In Burp Repeater, go back to the encrypt request and add 9 characters to the start of the intended cookie value, for example:
Encrypt this input and use the decrypt request to test that it can be successfully decrypted.
Send the new ciphertext to Decoder, then URL and Base64-decode it. This time, delete 32 bytes from the start of the data. Re-encode the data and paste it into the
notificationparameter in the decrypt request. Check the response to confirm that your input was successfully decrypted and, crucially, no longer contains the "
Invalid email address:" prefix. You should only see
From the proxy history, send the
GET /request to Burp Repeater. Delete the
sessioncookie entirely, and replace the
stay-logged-incookie with the ciphertext of your self-made cookie. Send the request. Observe that you are now logged in as the administrator and have access to the admin panel.
Using Burp Repeater, browse to
/adminand notice the option for deleting users. Browse to
/admin/delete?username=carlosto solve the lab.