Web Application Penetration Test Tricks Part III – No Redirect Upon Login
Ready for one last slick web application penetration test trick? In this installment we'll explore a subtle and often overlooked vulnerability related to web application authentication. In response to the login request containing posted authentication credentials the web application should return a "302 Found" redirect with a corresponding "Location" header specifying the next page within the application workflow. However, many web applications instead return a "200 OK" response without including this intermediate redirect. So what’s the problem?
In essence, browsers choose whether to resubmit posted data back to web applications based on the response codes returned by the web application. When a "200 OK" response code is received, the information originally submitted to the web application will be resubmitted when the "Back" button is clicked. However, when a "302 Found" redirect is received, the information originally submitted will not be resubmitted when the "Back" button is clicked. Instead, the request for the next page within the application workflow (i.e., the page specified within the "Location" header of the "302 Found" redirect) will be resubmitted instead.
Attackers can leverage this vulnerability by waiting for victims to logout of the application and then clicking the "Back" button until the authentication credentials are resubmitted to the application, at which point the victim’s account is effectively compromised. The attacker can now masquerade as the victim within the web application, compromising the confidentiality, availability, and integrity of sensitive information handled by the web application. Refer to https://www.owasp.org/index.php/OWASP_AppSec_FAQ#Is_it_really_required_to_redirect_the_user_to_a_new_page_after_login.3F for more information regarding this vulnerability.
So how do you test for this vulnerability? Simple! Just use an intercepting proxy server such as Burp in order to ensure that the response to the login request containing posted authentication credentials is a "302 Found" redirect with a corresponding "Location" header. If the response to the login request containing the authentication credentials is a "200 OK" then the application is vulnerable. See http://portswigger.net/burp/proxy.html for more information regarding the Burp intercepting proxy server.
That's all for the "Web Application Penetration Test Tricks" blog series. I hope you've enjoyed the ride and learned some useful tricks! Cheers!