[Tutorial] An Access Control Vulnerability (Redirection)

[Prince]

The Vulnerability:

To restrict access to a specific page or file on the website, the page is returned completely to anyone who requests it but with a "302 Moved Temporarily" status and a Location header specifying an address to redirect to for unauthorized users or guests. The browser, being a good boy, immidietly follows the redirection to the location specified in the Location header before loading the contents of the page.

How to exploit it:

To let the browser load the contents of the page, we just need to intercept the response of the server and remove the Location header and voala!

- An example :
I will use burp suite .

First, we turn on intercept server response.

This is the response in burp proxy. You can see that the contents of the page are present in this response.

We remove the location header and forward the response to the browser.

The page is loaded in your browser! In this example, the page is a file management system.

 

[mounir]

thanks for this technique, its rly interesting

 

[imthabawwse]

awesome share thanks

 

[Evan Fisher26]

i want to see

 

[AMen123]

Great job.

 

[gfiona]

great

 

[wggong]

wow nice share

 

[fsfs343]

thanks for sharing

 

[BrazukaGH]

Great!

 

[da53681e36]

big leak