I found a web app that claims to be impossible to hack! Try it here!
๐ฏ Challenge Files & Infrastructure
Provided Files
1
Files:None
๐ Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
Clicking on the Login button, I was redirected to the following page:
Login
Inspecting the page source, I didn’t find anything interesting, so I decided to inspect the request using burpsuite:
BurpSuite
Since there’s not much information provided here, I considered a possible bypass with a PHP Type Confusion. Let’s move on to the exploitation phase.
๐ฌ Vulnerability Analysis
Potential Vulnerabilities
PHP Type Confusion
PHP Type Juggling
๐ฏ Solution Path
Exploitation Steps
Initial setup
In PHP, when using the weak comparison operator (==), the values being compared are type-converted before the comparison (which doesn’t happen with ===). By sending a data type different from the one used for comparison, you can trigger strange behaviors that result in a True comparison, allowing you to bypass restrictions.
Exploitation
The exploitation is quite simple. Instead of sending a string (as shown in the BurpSuite screenshot), I sent an array in this way: username[]=&pwd[]=a, for example. Once the comparison is made and type juggling occurs, I achieved the bypass and, consequently, obtained the flag.
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
The automatic exploit sends a POST request with the parameters username[]=&pwd[]=a to leverage the type confusion and extracts the flag from the response using a regex.
