PayPal Gesture Pay Admin Panel Authentication Bypass

During my participation in the PayPal bug bounty program I came a cross an application which allows to make payments using a signature / gesture with your mobile phone, the app was hosted on https://apac.paypal-labs.com/gesture/, I guess this app was still in development due to the reason it was hosted on a PayPal-labs sub domain.

Poking around the app I found there’s an admin panel login page by adding /admin to the URL (https://apac.paypal-labs.com/gesture/admin/login.php)

I was presented with a login form, which required a user name and password in order to access the admin panel.

I tried some common page names in the URL such as https://apac.paypal-labs.com/gesture/admin/index.php and I noticed I was redirected back to the “login.php” page.

I fired up Burp and intercepted the request to “index.php”, next I forwarded the request and intercepted the page response, I noticed the “HTTP/1.1 302 Found” code in the http header and below the header I noticed there is lots of html code.

I changed the Response header to “HTTP/1.1 200 Found” and forwarded the response and to my surprise I was presented with the admin panel content which allowed me full access to all pages and features (I would have to change each request response to “200” for each page I was trying to access).

I reported this issue to PayPal, The application was removed immediately and is no longer available.

Here’s a video of the process of exploiting this vulnerability:

Paypal Gesture Pay Admin Panel Authentication Bypass from NightRanger on Vimeo.

Although this was a Blackbox test and I didn’t had any access to the page source code I could tell why this issue occurred.

Here is a sample code, which illustrates the issue:

1
2
3
4
5
6
7
8
9
10
<?php

session_start();
if (!isset($_SESSION["auth"])) {    
header('Location: login.php');

}
 ?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

The above code checks if the user has established a session and if not redirects the user back to the login page, the problem is that the content of the page, which contains this code, is also displayed in the process of redirection because further script execution was not terminated.

And here is a simple fix:

1
2
3
4
5
6
7
<?php
session_start();
if (!isset($_SESSION["auth"])) {        
exit(header('Location: login.php'));
}

?>

 

There is a way to browse the admin panel without the need to change the response code manually using burp suite.
You can configure burp to do so using the following steps:

1. Go to Proxy Tab –> Options Tab –> Match and Replace.
2. Click the “Add” button.
3. Enter the following setting:

Type: Response Header
Match: 302 Found
Replace: 200 Found

I made a simple demo showing the process of exploiting the same issue using burp auto replacement feature:

Authentication Bypass Example Using Burp from NightRanger on Vimeo.

Post to Twitter

Leave a Reply

*

Recent Posts