Authentication bypass using root object or Empty array.

Eslam Akl
InfoSec Write-ups
Published in
3 min readMar 22, 2022

Last Update: 23 May 2022

Added the ananlysis section with more details

Hey Hunters! Today we have a new write-up about one of my findings at a pentesting client. The method we used to bypass is tricky, and I want to share it with the community, so let’s get started.

Overview

The client performs his login process by sending your credentials and receive the response in JSON data. The trick is to put your credentials inside the root object and if the backend have an object with this name, it will work.

Note that the target used Cloudflare as server, so it will be hard to focus on injections.

Steps to reproduce

1. Try to log in with dummy credentials to check the request and the response.

You will notice that the credentials are sent in JSON data, and the response also will be in JSON. At this point, I’ve tried multiple tricks like:

Change false to true → Failed
Change the message to “Success” → Failed
Delete the whole msg → Failed
Delete the status → Failed

2. It’s time to play with the request JSON data, let’s try to convert it to XML to test XXE but no luck, no response returned.

3. Okay, let’s return it back to JSON using the same extension and send the request again.

Figure out the change happened after converting it using the extension, and that’s why the response returned the data that related to the default user.

4. Try to intercept the login request and change the JSON data as we tried before and forward the request.

Change the data from 
{"email":"test@aykalam.com","password":"test"}
to be like that
{"root": {
"password": "test",
"email": "test@aykalam.com"
}}

4. You will find yourself logged in as an admin.

Analysis

After trying more and dig deep with Live OverFlow and my teammates Ahmed Hesham, Karim Hany and Mohamed Saleh we discovered the issue.

The target uses custom framework and also the default case of a custom function that deals with the login process. I will give you an easy example to clear the weakness points, it’s just JS code, not the exact used one.

If you check the following code.

Coded by Karim Hany

You will notice that the used IF statements are not configured well, if the IF statements conditions are false, the process will not terminate, and it will be continued. This issue can let you bypass the authentication.

So, if you tried to replace the login POST data to empty, it will get the same results

Replace the following 
{"email":"test@aykalam.com","password":"test"}
With
{"":""}

Thanks for reading and hope you got it well ❤

Thanks to

Live OverFlow, Ahmed Hesham, Karim Hany and Mohamed Saleh

Stay in touch

LinkedIn | GitHub | Twitter

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Responses (2)

What are your thoughts?

Thanks, Eslam! But I don't get it: how passing a root property to the object would lead to an API responding with such data? Can we have any example of which server code would lead to such vulnerability?

--

hello !!! thanks for the write-up, sorry for my question just trying to get it well.
so
4. The response wasn't the same, and I used the same extension to convert back the request from XML to JSON.
>>> this means your request (with test parameters) was…

--