Hello there,
I am Pratik Dabhi, a Bug Bounty Hunter and a Penetration Tester. Many of you may already know me, but for those who aren’t, please visit my website to learn more about me.
So, in this blog, I wanted to share an interesting bug that I have found on an MNC (Multi-National Company) website. The story starts when I was doing the recon on my target, I found a few interesting subdomains are gave me 403 Errors. I thought why don’t try to fuzz and try to bypass the protection? So, I used the 4-Zero-3 Tool to bypass the security and then I found a few more interesting endpoints that helped to bypass the protection. Let’s get started.
What is 403 Error?
A 403 Forbidden error is an HTTP status code that means that the client was able to communicate with the server, but the server won’t let the client access what was requested. This can happen for a number of reasons, such as:
· The client does not have permission to access the requested resource.
· The requested resource does not exist.
· The resource is protected by a password that the client does not know.
· The server is configured to deny access to all clients.
403 Bypass is the act of circumventing a 403 Forbidden error and gaining access to a protected resource. There are a number of different ways to bypass a 403 error, but none of them are guaranteed to work. Some of the most common methods include:
· Path fuzzing: This involves trying to access the resource using different variations of the path. For example, if you are trying to access a resource at /admin/, you could try /admin/’,/admin%2e/, or/admin/.htaccess`.
· HTTP header fuzzing: This involves trying to access the resource using different HTTP headers. For example, you could try setting the Referrer header to a different website or setting the User-Agent header to a different web browser.
· Exploiting vulnerabilities in the server software: This is a more advanced method, and it can be very dangerous if you don’t know what you’re doing.
What is the 4-Zero-3 tool?
This tool has all the possible techniques to bypass the 403/401 Error. You can learn more about it from Github
I started with basics, collecting all the subdomains of the target using various tools like amass, sublister, and more.
I used waybackurls along with httpx to probe the URLs and retrieve the current status of the URLs.
I found https://staging.target.com/actuator/prometheus is giving me a 403 error but the parent folder of the same is giving me [200 OK] status. As I have found a few bugs on the targets using “spring boot”, so, I was familiar with “/actuator” folders on websites but I was not aware of “/prometheus” like what it is and why it is used, So I use google to gather some information about it. If you don’t know let me brief you about it.
What is Actuator?
Spring Boot Actuator is a sub-project of Spring Boot that provides production-ready features for monitoring and managing Spring Boot applications. It exposes operational information about the running application, such as health, metrics, info, dump, env, etc., through HTTP endpoints or JMX beans.
The actuator is enabled by default in Spring Boot applications. To expose the actuator endpoints, you need to add the spring-boot-starter-actuator
dependency to your project. Once the dependency is added, you can access the actuator endpoints at the /actuator
endpoint.
What is Prometheus?
Prometheus is a monitoring system and time series database. It is presumed that untrusted users have access to the Prometheus HTTP endpoints and logs. They have access to all time series information contained in the database, plus a variety of operational debugging information. It is also presumed that only trusted users have the ability to change the command line, configurations file, rules files, and other aspects of the runtime environment of Prometheus and other components.
I found this endpoint interesting so I used 4-ZERO-3 to bypass it and after testing a few payload tools found that using URL Encoding, I was able to bypass it.
So the URL looks something like https://staging.target.com/actuator/prometheus;%2f..%2f..%2f
After investigating the endpoint I found a few interesting information in it, which may help an attacker to further investigate the target application and exploit it accordingly.
Mitigation
To fix a 403 Bypass, you need to identify the method that is being used to bypass your security measures. Once you have identified the method, you can take steps to mitigate the risk.
Here are some general steps that you can follow to fix a 403 Bypass:
· Identify the method that is being used to bypass your security measures. You can do this by analyzing your server logs and looking for suspicious activity. You can also use a web application firewall (WAF) to detect and block malicious traffic.
· Update your server software. Make sure that you are using the latest version of your server software, and that all of your security patches are installed.
· Configure your server correctly. Make sure that your server is configured correctly and that all of your security measures are enabled.
· Use strong passwords and authentication mechanisms. Make sure that you are using strong passwords and authentication mechanisms for all of your accounts.
· Monitor your server for suspicious activity. Use a monitoring tool to monitor your server for suspicious activity, such as failed login attempts and unusual traffic patterns.
Here are some additional steps that you can take to fix specific types of 403 Bypass attacks:
Path fuzzing: To prevent path fuzzing attacks, you can use a web application firewall (WAF) to block requests that contain suspicious characters in the path. You can also configure your server to deny access to all files and directories that are not explicitly allowed.
HTTP header fuzzing: To prevent HTTP header fuzzing attacks, you can use a WAF to block requests that contain suspicious HTTP headers. You can also configure your server to ignore or deny requests that contain certain HTTP headers.
Exploiting vulnerabilities in server software: To prevent vulnerabilities in server software from being exploited, you should keep your server software up to date and install all of the security patches. You should also configure your server correctly and use strong passwords and authentication mechanisms for all of your accounts.
Thanks, everyone for reading:)
Happy Hacking ;)
Support me if you like my work! Buy me a coffee and Follow me on Twitter.
Website:- https://www.pratikdabhi.com/
Instagram:- https://www.instagram.com/i.m.pratikdabhi
Twitter:- https://twitter.com/impratikdabhi