Theory: Mmmmm, it's theory time. Well, you guys are lucky because I don't do theory at all, but it's needed for your basics. Trust me, after going through the process of juicing on those theory bits, the real fun begins, because now we can use all that knowledge in the real world for hacking………
Testing for the browser back button is simple: after a user logs out, you hit the back button. If the app still shows sensitive stuff, boom — that's the vulnerability. That's it. The rest I'll show you in practice, so let's gooooooooooo!
Steps
- Walking around, I found someone's laptop open with an application login page, interesting. I clicked the browser back button
2. I was redirected to the application dashboard (sensitive stuff — that's why they are in red). I clicked on the user profile button and then clicked on the reset password button. Normally, I thought this would not be much of an issue, maybe the developer forgot to put cache mechanisms in place, and this was just cached… I was wrong
3. Since I am pentesting this site, I already knew the current password, but for a hacker, he might need to find it. Since I am a white hat hacker, I skipped that process, typed the details, and clicked on the Update button
4. Got a successful message, hehehehehehe
5. Typed in the poor soul's username, entered the updated password, and clicked on the sign-in button
6. Logged in like a ninja, who slips in without anyone noticing. This was simple but powerful, as said by an actor in the famous malayalam movie — Premam.
Note — Basically, I could do anything when I clicked on the browser back button. And guess what — I even created an admin account instead of resetting the password, because resetting a password requires the previous password, which only the victim knows. It was much easier to just create a new admin account and mess with the application like a "Hacker". But unfortunately, I lost the screenshots of that. I know it's sad, but keep in mind — sometimes these small browser back buttons are pure magic!
Remediation Implement some cache mechanism and expire the user session from the server side. That ought to do it.
Premam movie dialogue Simple! Java is very simple! Powerful! It is so powerful, isn't it? Then safe, Java is very safe. Thanks for reading, my dear hackers, wannabe hackers, colleagues, and anyone needing this!