Hello Readers,
This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann and he is writing the walk-through series.
Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post.
All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here. Let's start.
Setting up Betafast -
1. Download the files from github - https://github.com/NetSPI/BetaFast .
2. Extract and open the .sln file with Visual Studio
3. Look for App.config
4. Edit the App.config file's baseUri key value as betafast.net as shown in
the screenshot below-
5. Click on Build -
6. Install docker desktop for Windows from
here.
7. You need to enable Hyper-V for running docker-desktop. Following command can be run as administrator and a restart is required to run docker-desktop.
To enable:
bcdedit /set hypervisorlaunchtype auto
To disable:
bcdedit /set hypervisorlaunchtype off
8. Navigate to the docker folder of Betafast and open powershell.
This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann and he is writing the walk-through series.
Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post.
All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here. Let's start.
Setting up Betafast -
1. Download the files from github - https://github.com/NetSPI/BetaFast .
2. Extract and open the .sln file with Visual Studio
3. Look for App.config
7. You need to enable Hyper-V for running docker-desktop. Following command can be run as administrator and a restart is required to run docker-desktop.
To enable:
bcdedit /set hypervisorlaunchtype auto
To disable:
bcdedit /set hypervisorlaunchtype off
8. Navigate to the docker folder of Betafast and open powershell.
9. To launch the servers, use the following commands in the same directory as docker-compose.yml:
docker-compose build docker-compose up
10. Now let's make the following entry in windows host file -
12. Configure Burpsuite proxy listener to the same and let's start with finding the vulnerability.
Finding the Vulnerability -
Step 1: Click on 'Create Account' to register a new low privileged user -
Step 2: Register using some credentials -
Step 3: Login and check HTTP History and we will see an interesting request is made to confirm if the following user is admin or not -
Step 4: Before tampering the response, let's explore the user panel and you can see the below screenshot has limited no. of tabs and functionality -
Step 5: Now logout and login again while keeping the intercept on in order to change the response in the fly -
Step 5: We would be able to access to Admin functions that are available in the application -
Step 6: Let's add an admin user to confirm if we really can perform admin actions from low privileged user -
Conclusion : We were able to bypass the access control mechanism and access admin dashboard to perform unauthorized actions from a low privileged account.
Thanks for reading. You can read more about access control bypass from here.
This is highly informatics, crisp and clear. I think that everything has been described in systematic manner so that reader could get maximum information and learn many things. Vulnerabilty
ReplyDelete