Authentication bypass via flawed state machine

Description

This lab makes flawed assumptions about the sequence of events in the login process.

Reproduction

  1. With Burp running, complete the login process with wiener:peter and notice that you need to select your role before you are taken to the home page.

  2. Use the content discovery tool to identify the /admin path.

  3. Try browsing to /admin directly from the role selection page and observe that this doesn’t work.

  4. Log out and then go back to the login page. In Burp, turn on proxy intercept then log in.

  5. Forward the POST /login request. The next request is GET /role-selector. Drop this request and then browse to the lab’s home page. Observe that your role has defaulted to the administrator role, and you have access to the Admin panel.

  6. Delete Carlos to solve the lab.

PoC

Exploitability

An attacker will need to log in; exploit the flaw to bypass the lab’s authentication, access the admin interface, and delete Carlos.