Skip to main content

🗂️PortSwigger Lab Writeup: Authentication Bypass via Information Disclosure

PortSwigger lab description page for Auth Bypass via Info Disclosure

🎯 Objective

The objective of this lab is to discover an information disclosure vulnerability in a web application where it has HTTP TRACE method enabled leaking internal authentication headers, and our goal is to access the admin interface and delete the user carlos.

  • Lab URL: https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass
  • Category: Information Disclosure
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab instance showing Shopping website interface
    Login page of the lab instance
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that there is an admin panel which we need to access.

🧰Step 2: Accessing Admin Panel

  • For accessing Admin panel, let's first try opening /admin page. Screenshot showing attempted /admin page access restricted to local requests before adding custom headers
  • Hence, we successfully guessed the Admin Panel location, but it is only available to local users meaning - localhost(127.0.0.1)
  • Open the BurpSuite and send the /admin request to Repeater Tab by Ctrl + R Screenshot of BurpSuite Repeater tab with /admin request
  • In Repeater tab, change the request method from GET to TRACE to see any internal authentication headers added by proxy servers. Screenshot showing TRACE request response echoing internal authentication header X-Custom-IP-Authorization
  • Hence, we can see in the echoed response that there is a header appended by server - X-Custom-IP-Authorization through which it is detecting if the request came locally or not.
  • To confirm this, we will send the request by adding - X-Custom-IP-Authorization: 127.0.0.1 Screenshot demonstrating successful access to admin panel after injecting X-Custom-IP-Authorization: 127.0.0.1 header
  • After adding the X-Custom-IP-Authorization: 127.0.0.1 header, the admin panel became accessible.
  • Now to make this process of appending X-Custom-IP-Authorization to the request, Go to Proxy Tab Settings --> Under Match and Replace Rules --> Add a new Request header rule:
    • Match: ^ (or leave blank to match all requests)
    • Replace: X-Custom-IP-Authorization: 127.0.0.1 Screenshot of BurpSuite Proxy settings showing match-and-replace rule section
      Screenshot of new match-and-replace rule for automatically adding X-Custom-IP-Authorization header to all requests
  • Now, every request will be modified by BurpSuite by appending X-Custom-IP-Authorization header making the admin panel accessible from our proxy.

🚀Step 3: Delete carlos

  • Now, open the Admin panel - /admin Admin panel screenshot
  • Delete the user carlos for completing the lab. PortSwigger Lab solved confirmation banner after deleting carlos
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how an information disclosure vulnerability through the HTTP TRACE method can be exploited to bypass access controls. By sending a TRACE request, we discovered the internal header X-Custom-IP-Authorization used by the server to allow local access.
  • By injecting X-Custom-IP-Authorization: 127.0.0.1 into our requests, we successfully accessed the admin interface and deleted the user carlos.
  • Such vulnerabilities can have a severe impact, as attackers could gain unauthorized access to sensitive admin functionalities.
  • This highlights the importance of disabling dangerous HTTP methods like TRACE, avoiding reliance on client-controlled headers for access control, and ensuring proper server-side validation of user origin and permissions.