Exploiting Admin Panel Like a Boss

Hello Everyone (Ram Ram Ji),

Today I wanna talk about one of my unique & quickest finding on HackerOne’s Private Program. It was all about an Admin Panel Access. So let’s get started.


1) Bypassing Scenario for admin login page:

I picked up one of their assets from that program and while accessing that URL i simply put /admin directory at the end of that asset. I got a 403 error on that page. So I thought why not to give a shot to bypass that 403 error after that, I perform some techniques to bypass that 403 error but no success. Later, I thought why not change the host header value of that request. Then what I was noticed that the 403 error disappeared and Admin Panel Login Page appears with 200 Ok status code.

Request was looked like:

Original Request/Response:

GET /admin HTTP/1.1
Host: redacted.com

HTTP/1.1 403 Forbidden
Access Denied

Access Denied | Forbidden Page

Modified Request/Response (Bypass):

GET /admin HTTP/1.1
Host: google.com

HTTP/1.1 200 Ok
Admin Panel Login Page(Source Code)

200 OK with Wrong Credentials

2) Accessing the admin panel:

This is a favorite part of my finding. Well, whenever I testing any admin panel my first priority is that I always enter admin admin as username & password, and luckily this thing works here and I got access to the admin panel.

Admin Panel Access

Steps to Reproduce (According to Report):

  1. Navigate to “​https://redacted.com/admin" give (403 error).
  2. Then intercept that request with the help of Burp Suite.
  3. After intercept that request simply change the host header value from redacted.com to​​ google.com & hit Go.
  4. You will found that the server does not validate that request properly. It simply opens up an admin panel login page.
  5. Now Error Changes into 403 Forbidden to 200 OK (Bypassing Done)
  6. But now I don’t have the right credentials to get access to the admin panel.
  7. Luckily I tried ‘admin’ as a username and ‘admin’ as a password.
  8. Got Success.


Bounty Reward

June 30, 2018 — Reported to Private Program
June 30, 2018 — Report Triaged
July 05, 2018 — Vulnerability fixed
July 22, 2018 — Bounty of $1500 USD awarded

Special thanks to nullr3x (Big Bad Bro 🤑)

"CS-Engineer" | "Bughunter • Hackerone • Bugcrowd (Top 150)" | "Synack Red Teamer" • @sechunt3r