Hello everyone, in this article I will be sharing a detailed walkthrough of an authentication bypass vulnerability I identified during my testing of a public program on Bugcrowd.

None

After collecting subdomains, I ran Eyewitness on all of them and then started manually testing each subdomain.

While i was looking through subdomains, i picked one which looked pretty interesting….

It had a SSO login dashboard with no registration , indicating that it was definitely made for authorized/internal users only.

None

Something felt fishy about this dashboard……

Then i decided to analyze the JavaScript files loaded by the application in the browser.

None

While going through the javascript, I noticed that the app was storing its authentication state in localStorage , meaning things like session data and user info were being kept directly in the browser.🤨

persist:{
  key:"auth-user",
  storage:localStorage,
  paths:["sessionKey","userInfo","userRoles"]
}

This is fully controllable by the user!😲

After analyzing the code, i started getting a feeling that the authentication logic was tied to localstorage or some client-side auth state.

Then i tried manually creating that object, I set a fake sessionkey, along with some basic userinfo and userroles, to see if the app would treat me as logged in.

I opened the browser's developer tools and navigated to the console tab, where I used the localStorage.setItem() function to manually insert a crafted authentication object to simulate a valid session:

localStorage.setItem("auth-user", JSON.stringify({
  sessionKey: "anything",
  userInfo: { id: "admin" },
  userRoles: [{ name: "Group Admin" }]
}))

Example:

None

Then i refreshed the page.

Annnnddd guess what…..It worked! I logged in without any authentication!

I bypassed the SSO Login and got access , i was able to :

  • View users
  • Edit users
  • Delete users
  • Create groups
  • Manage groups
  • Edit groups
  • Delete groups
None
None

Then i started documenting each and every endpoint, made a report and submitted.

Got awarded 300$ for this report. slightly lower than expected, but still a win!

None

Happy Hacking!

If you found this article useful, please consider giving it a like 👍

Feel Free to connect with me on LinkedIn: https://www.linkedin.com/in/laganparihar