4

Suppose a web app is being tested where all the functionality is behind a login.

One of the tests to be run is to check whether any of the pages are available without log-in.

We try the actual url of the page we want to reach and see if it redirects us to the login page, or, if it shows us the content without log-in (bad).

To automate this process we have a list of (supposedly) all the valid urls and we run a script that tries each page and records what the response code was.

If response is 200 then we got access without login, however if response is 301, 403 etc. then we're good on that url.

The issue is that this web app is returning 200 codes even when redirecting to login page.

Is there another way to detect the redirect?

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
pzirkind
  • 707
  • 6
  • 12
  • 5
    Your premise that 200 means you got access without login is faulty. There's more than one way to do a redirect and returning the login page with a 200 for a non-login-page URL if the requester is unauthenticated would be a sane, although not preferred, thing to do. – Blrfl Dec 05 '17 at 00:14
  • 3
    One possibly quick way for filtering out responses would be to quickly check the response size in bytes. It should be same for all the "redirect to login" responses and then you can just go through the responses which do not have the correct response size. – Shurmajee Dec 05 '17 at 05:07

3 Answers3

7

Web Applications and HTTP Status Codes

If it's returning 200 on both an unauthorized page (302 Redirects to 200 login page), and an authorized page (discovered authorized page), there are some things you can do:

  1. You can look for what happens on a successful login. Make a fake account, log in. See what does not get included on the real page, and what doesn't. That how you'll find your unique string.
    • Keep in mind: if there is a WAF or something, it could just start redirecting all of your incoming requests to 3xx/4xx, whether it's for valid or invalid requests.
  2. Parse the HTTP response for HTML code or a string that would not appear on the login page, OR a string that ONLY appears on the Login page.
    • For example, the string "Unauthorized," or "Please Log In" could appear. You would want to exclude responses with those strings.

Both can be done using Python, or any scripting/programming language you want to use, including bash. Bash will, however, be much slower.

Could you provide an example please?

Sure. See below.

1. Using Python

You will have to edit this. It's quick example code.

import pycurl
import urllib
import sys
from StringIO import StringIO 

c = pycurl.Curl()
html = StringIO()
c.setopt(pycurl.WRITEFUNCTION, html.write)
c.setopt(c.VERBOSE, 0)

def send_req(url):
    field = urllib.urlencode(payload)
    c.setopt(c.URL, url)
    c.setopt(c.VERBOSE, 0)
    c.perform()
    if "successful non-login-page string to search for" in html.getvalue():
        html = StringIO() # Reset
        return True
    return False

with open("dir-or-file-list.txt") as f:
    for line in f:
        if send_req("http://haxlogin.page/" + line + ") == True:
            print "[!] Found a valid page: %s" % line

I don't have time to check if this Python works, it's just a general example on how you could make it work with Python, so you'll need to edit it.

2. Using Burp Suite Pro

With Burp Intruder, on the attack dialog, you can use a filter. Imagine 2xx returns "Unauthorized" as the unique code/string. You will want to exclude "Unauthorized" from the search like so:

Filter:

  1. Filter by search term "Unauthorized", negative search
  2. Filter by status code: 2xx [success]

3. Using OWASP Dirbuster

Options -> Advanced Options -> Scan Options -> Fail Case String -> Enter a string that appears only on the login page

302 Redirects

Keep in mind: many applications perform a 302 redirect after posting something successfully.

That doesn't necessarily mean a 302 redirect is bad, or that you didn't find anything. Use curl -L to follow the redirect and see where that gets you.

You will likely also want to check the contents of the redirected page so you don't miss anything.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
3

If the server is redirecting with a 200, then they're probably performing a meta refresh. You will need to review the body of the HTTP 200 response and look for something like this:

<head>      
    <meta http-equiv="refresh" content="0;URL='https://www.example.com/login'" />    
</head>
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    It could also be a JavaScript based redirect or something akin to the old Server.Transfer() (from classic ASP and other frameworks) where you load another page's content without changing the URL. – Xander Dec 04 '17 at 20:42
1

If the application is returning a 200 when it's actually redirecting, you're going to have to parse the content of the response. You can either parse the URL, or if that doesn't tell you what you need to know, parse the content for the login fields.

Dan Landberg
  • 3,312
  • 12
  • 17