Forced Browsing to Access Admin Panel

Hello hackers, it’s been a while and I haven’t write anything about my finding. So, I decided to share one of my interesting findings. I am not allowed to share the organization name so I will be using redacted.com as the main domain.

*.redacted.com is in scope. As usual, I started with subdomain enumeration, for subdomain enumeration I mostly use a combination of subfinder +findomain+amass. After enumerating all subdomains of redacted.com, I saw an interesting subdomain admin.redacted.com. So I think why not try pwning admin panel. I fired my burp suite and started exploring admin.redacted.com. When I open admin.redacted.com then the website redirected me to the login page admin.redacted.com/login. I tried for some common username/password combinations to log in but none worked. Side by side I fetched all Javascript files using the GetJS tool and started looking for juicy information in JS files. I got some common path in JS files like /admin/dashboard , /admin/user , /backend , /admin/user/backend. When I try to browse these paths then the website again redirected me to the login page. I was like.

Then I started looking into all requests of admin.redacted.com in burp. I saw an interested endpoint /backend/admin/user/user-menu.json in which the cookie header having PHPSESSID and some extra server-side cookies.

So, I thought why not try to explore the endpoints /admin/dashboard, /admin/user, /backend, /admin/user/backend using those cookies, and yayy I can see all details of the admin panel which is exposing server-side sensitive information. I was only allowed to browse endpoint by forced browsing to the path with cookies, when I manually try to browse by clicking on the website then again I was redirected to the login page. So, I can see details only by forced browsing the path with cookies I have.

Timeline:

October 21, 2020 — Reported

October 26, 2020 — Triaged and Bounty awarded

December 10, 2020 — Fixed.

Thanks for reading, hope you learned something new. Do clap and share if you like. I will write more of my findings soon so, stay tuned for my next write-up.

Twitter: 7he_unlucky_guy