Decrypting Requests, Manipulating Responses to Gaining Super Admin Access
Summary:
- Identify the request encryption mechanism and successfully break it.
- Develop a Burp Suite plugin and Python code for decrypting and encrypting requests.
- Exploit the response manipulation vulnerability to escalate privileges to a super admin.
Before starting the penetration testing, I gather information about the target, such as how the application works, the techniques involved, how the application integrates with the API, etc…
After analyzing the application, I discovered that all requests sent by the application are encrypted, making it impossible to modify any requests during transmission, This Impedes conducting the pentest.
To overcome this obstacle, I decided to analyze the JavaScript code because the encryption occurs on the client-side. During this process, I encountered numerous JavaScript libraries and frameworks.
Analyzing all of them in detail to understand how the application sends requests would require a significant amount of time. In fact, it would take much longer than the allocated time for the penetration testing in this activity. However, I have devised an alternative approach.
While utilizing the “BurpSuite search feature” I searched for all the encrypt/decrypt functions employed by the JavaScript frameworks. Upon investigating the ‘AES’ encryption method, I discovered the mechanism it employs. The application uses the JavaScript framework ‘CryptoJS’ to encrypt the request data.
By analyzing the specific file responsible for the encryption mechanism, I was able to locate the key used for data encryption, which is “********0052021” and the encryption type “AES”
To test the application now, I will need to develop a tool that can decrypt the data, so I can decrypt data and make the necessary modifications, and then re-encrypt it using the same key mentioned above.
You can find the Python tools for encryption and decryption that I wrote in the links below.
To perform these steps in every request [decrypt — modify — re-encrypt] manually using the tool would consume more time. Instead, I will let the tool decrypt specific data when needed. Additionally, I will write a plugin for BurpSuite proxy, allowing for easy decryption and encryption with just one click. This will save time for testing all requests in the application.
The screenshot below displays the Burp Suite plugin which I develop to decrypt/encrypt the data in the requests.
Now that I can decrypt and re-encrypt requests, I will begin testing the application.
After logging in, I discovered a strange behavior in the next request, where the user’s permissions are received from the application through the response. The application’s dependency on this response to determine user privileges and access levels poses a security risk. An attacker could intercept the response, decrypt it, and manipulate the permissions, allow enabling a regular user to elevate their privileges to that of a super administrator.
After intercepting the response, you can observe that the user permissions are present in the response but encrypted.
I can decrypt this data to read it as plain text.
Unfortunately, in order to modify user permissions, it is necessary to have knowledge of the other permissions within the application. Without knowing these permissions, it would be Impossible to make changes to user permissions.
While performing an investigation using “Burp Suite Proxy”, I searched for the keyword “permission” and discovered an interesting endpoint exposed within a JavaScript file. Upon making a request to this endpoint, I was able to obtain a comprehensive list of permissions.
I will re-encrypt them.
Then I will replace it with the response that I intercepted via the Burp Suite proxy.
Amazing! I achieved privilege escalation from a normal user to a super admin.