Lab: Authentication bypass via encryption oracle ( Business logic Vulnerabilities) #lab 11

Solution:

• Turn on burp then Access the lab login using given credential, also do not forgot to check stay logged in.
• In /POST request we have stay-logged-in= cookie
• So, when ever we send request our Browser include this cookie stay-logged-in=
• Next go to any blog post and comment anything , i do it multiple time and i find out , if we do like below image we got an error that's the point.

• We see Invalid error

• So it only replied for email address.
• Next Go to burp /Post/comment & see when we put hacker in email it gives us notification= in Set-Cookie in response.
• And this request is send to next /post?postId=6 request. & notification header is use here.
• Also check in /post?postId=6 response we see Invalid email address: hacker
• Also the upper error is in notification-header. & Invalid email address: hacker is encrypted and use in notification request header. or you say it decrypted and use there.
• So solution is follow and make 2 these types in repeater tab.
• Send both requests to Burp Repeater:

POST /post/comment
GET /post?postId=x

Rename them:
encrypt
decrypt

POST /post/comment
GET /post?postId=x

Rename them:
encrypt
decrypt

Next

• Copy the value of the stay-logged-in cookie and place it inside the notification cookie of the decrypt request.
• When sent, the server decrypts and reveals: wiener:1598530205184
• This confirms the authentication cookie format: username:timestamp
• Save the timestamp value.

Generate an Administrator Cookie

Use the encryption oracle by modifying the email parameter: administrator:1598530205184

Submit the request.

The response contains a newly encrypted notification cookie representing your chosen plaintext.

• However, when decrypted, it becomes: Invalid email address: administrator:1598530205184
• The application automatically prepends: Invalid email address:
• This unwanted prefix must be removed.

Identify the Block Cipher Limitation

Decode the encrypted cookie using Burp Decoder:

URL Decode
Base64 Decode

URL Decode
Base64 Decode

Attempting to remove only the prefix bytes causes a decryption error because the application uses a block cipher with 16-byte blocks.

• Since: Invalid email address:

is 23 bytes long, deleting only those bytes breaks block alignment.

Align the Prefix

To make removal possible, pad the beginning of your payload with 9 characters: xxxxxxxxxadministrator:1598530205184

• Why 9? → 23 + 9 = 32 bytes

32 bytes equals exactly:

• 2 AES blocks

Now encrypt this payload using the encryption oracle.

Remove the Prefix Blocks

Decode the new ciphertext:

URL Decode
Base64 Decode

URL Decode
Base64 Decode

• Delete the first: 32 bytes
• which correspond to: Invalid email address: xxxxxxxxx

Re-encode the ciphertext:

1. Base64 Encode
2. URL Encode

Insert the modified value into the notification cookie and send it to the decryption oracle.

The response now reveals:

administrator:1598530205184

administrator:1598530205184

The unwanted prefix has been successfully removed.

Forge the Administrator Authentication Cookie

Take the ciphertext that decrypts to: administrator:1598530205184

• Open a request to: GET /

Remove the existing session cookie and replace the stay-logged-in cookie with your forged ciphertext.

Send the request.

You are now authenticated as:

administrator

administrator

Access the Admin Panel

Browse to:

/admin

/admin

The administrator interface is now accessible.

Locate the delete-user functionality and visit:

/admin/delete?username=carlos

/admin/delete?username=carlos

The user carlos is deleted and the lab is solved.