Authentication Bypass Via Flawed State Machine

Introduction

Hello, friends! How are you all doing? This is our 12th article focusing on business logic vulnerabilities. In this article, we will practically solve the “Authentication bypass via flawed state machine” lab from PortSwigger Web Security, step by step.

Lab Description Of Authentication Bypass Via Flawed State Machine

Authentication bypass via flawed state machine

This lab has a logic flaw in the login process. To solve the lab, we need to exploit the flaw to bypass authentication and gain access to the admin interface. After that, we will delete Carlos’ account.

For logging in to the lab, the username “wiener” and password “peter” have been provided.

Lab Solution

First, enable your Burp Proxy. Once the proxy is enabled, log in to your account as usual.

Authentication bypass via flawed state machine

After logging in, you will see an interface like this.

Now, we will perform directory fuzzing to find the path to the admin panel.

To do that, go to the Target tab and right-click on the lab’s domain. Click on “Engagement tools” and then select “Content discovery.” Click on “Session is not running.”

Authentication bypass via flawed state machine

Wait for a moment, and the lab’s hidden content will start appearing. As you can see in the screenshot above, we have found the /admin page.

When I tried to access it, I received an error stating that only the administrator user can access this location.

Now, I will log out of my account. After logging out, I will be redirected to the login page of the lab.

Next, I will log in as a simple user, but remember to keep the intercept on during the login process.

Authentication bypass via flawed state machine

When I intercepted the login request, I found a request of this type.

Now, I will forward this request.

After forwarding the request, I will see another request. Please refer to the screenshot above. Now, I will drop this screenshot.

Authentication bypass via flawed state machine

After dropping it, I will see an interface like this.

Now I will remove the “role-selector” from the URL. As you can see in the error screenshot above, in the URL, simply remove “role-selector” and enter it again.

You can see that by removing the role-selector, we have gained access to the admin panel.

Authentication bypass via flawed state machine

Now, click on the admin panel and delete Carlos’ account. You can see that we have successfully solved the lab. This lab was quite easy, as all we needed to do was drop the role selector request during login.

So, we have successfully solved the business logic flaws/vulnerabilities lab “Authentication bypass via flawed state machine.”

If you want to explore further in web security, you can visit our website, where we cover web security from basic to advanced levels. We regularly upload articles related to cybersecurity and web security.

Leave a Comment