Authentication bypass via encryption oracle
This is practice lab presented by portswigger web security team. So this is under flow control vulnerability present in web application.
first what is encryption oracle
when user-controllable input is encrypted and the resulting ciphertext is then made available to the user in some way. This kind of input is sometimes known as an “encryption oracle”.
so coming to lab we have given a account username:password (wiener:peter). Now we have to gain admin functionality and delete other user called carlos.
Open burp proxy extension and capture the request performed on web application.
so first log on to user wiener with stay login enable and go to any blog post and comment anything and read the request and response of sending comment. There is nothing help full here so try changing values in submitting comment one by one change name=anything like 1,2,3. No helpful hint. Now change email=anything not looks mail like abc.com. Now when studying this we get a notification on set-cookie header in response.
And in burp it intercept the request and response. After seeing the response there is notification header parameter which is completely new.
so after seeing this we check for its decoded value in web page, there is a request intercepted GET /post?postId=x, now there is same notification header parameter value which is de-compiled and give output in clear text in web page as show in below.
It says Invalid email address: your-invalid-email
So here it revels the encryption oracle which is used to decrypt the value in other part of web application such as cookie.
So we try to decrypt the session id value in cookie header. For that send POST /post/comment to burp repeater and name it as encoder which is work same as encoder, encode the value present in email. and GET /post?postId=x to repeater and name it as decrypter which decrtypt the value of email parameter in POST request.
Now in decrypter copy the stay-logged-in value and paste it into notification value as shown.
now hit send on request and find
<header class=”notification-header”>
wiener:1674923024106 </header>
This show it logged in as userID name and UNIX timestamp. Now to find the admin user with timestamp encoded value, we use something such as administrator:UNIX-TIME, copy from google in the email parameter value.
Now the request in encoder looks like.
Response notification value, copy it and paste in decoder in burp repeater.
In decoder send the request and there is decoded value found in response.
Invalid email address: administrator:1675145060
observe that the 23-character “Invalid email address: " prefix is automatically added to any value you pass in using the email parameter.
Send the notification cookie to burp decoder and decode it as URL and decode again to base64.
Now select first 23 bits (to remove Invalid email address: from cookie so that it give only administrator:time-stamp encoded value) and select delete selected bytes.
Now encode this first to base64 and then to URL.
Now copy the URL encode value and paste in Burp Repeater decrypt tab notification value and send request.
It give 500 internal server error and an error message indicates that a block-based encryption algorithm is used and that the input length must be a multiple of 16. You need to pad the “Invalid email address: " prefix with enough bytes so that the number of bytes you will remove is a multiple of 16. Now
- In Burp Repeater, go back to the encrypt request and add 9 characters to the start of the intended cookie value, for example:
xxxxxxxxxadministrator:your-timestamp- Encrypt this input and use the decrypt request to test that it can be successfully decrypted.
Send the notification value to Burp decoder. and again decrypt this URL and Base64. This time, delete 32 bytes from the start of the data. Re-encode the data and paste it into the notification parameter in the decrypt request. Check the response to confirm that your input was successfully decrypted and, crucially, no longer contains the "Invalid email address: " prefix. You should only see administrator:your-timestamp.
Now you have the encrypted value of admin account, Now go to home page of web application and intercept the request, Delete the session cookie and replace the value of stay logged in with encrypt value get from burp decoder, and send the request, so you have control to the admin account as show in my repeater tab and in web page.
Now go to admin panel and delete carlos user, you successfully delete the user.
Follow for more such story.