Jan 10, 2022

Source: www.wallpaperflare.com

A brief intro

Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application.

Consider a web application that has login functionality. Users who have an account can access content/features in this web application only by logging in. Unauthenticated users are redirected to the login page for them to first log in and get an authenticated session. This is one of the many situations where the Execute After Redirect or EAR vulnerability may creep in. An EAR vulnerability arises in an improper implementation of code where the developer assumes that the execution stops after redirect. However, that is not true, and the remaining part of the page also gets executed.

The following code snippet shows such an implementation:

<?php 
  if (!$loggedin) {
     print "<script>window.location = '/login';</script>"; 
  } 
?>

// Contents only visible to logged in users.

If you have a sharp eye, you might have noticed it. No problem if you did not catch it. Let me show it to you. The PHP code checks if the user is authenticated or not. If not, it will redirect them to the login page located at /login. But there’s no one telling the program to stop executing all the code after the redirect. So, all the code that should run only when a user has a valid session will also get executed. If we use a proxy tool such as BurpSuite or ZAP (yeah, I like both of them), we can modify the response of 302 Found redirect into a 200 OKresponse. We will get into that part later. Let’s first fix the code real quick:

<?php 
  if (!$loggedin) {
     print "<script>window.location = '/login';</script>";
    die();
  } 
?>

// Contents only visible to logged in users.

By simply invoking the die() function, we are able to stop the execution of the code. The remaining code will not execute now.

Demonstration — Fun part :)

Now comes the fun part, aye? The website present on the HTB box named Previse (which is now retired) is vulnerable to this EAR vulnerability.
I first fuzzed the file names using a tool called dirbuster. Most of these files are responding with a 302 Found status code. One thing to notice here is the value of the Content-Length header in the Response is quite high which is not usually the case with redirect responses.

Fuzzing for files using dirbuster

If we visit any such page (as an unauthenticated user) using tools such as cURL that do not follow the redirect, we can clearly see the contents that should only be visible to an authenticated user.

It can allow attackers to steal private sensitive data as well as perform actions to which they are not authorized.

We can use BurpSuite’s inbuilt match and replace feature to automatically convert the 302 redirects to 200 OK responses. But do keep in mind that it may conflict with some pages and can act weird.

Match and replace on BurpSuite

I hope you enjoyed reading this article on EAR. If you have any questions, feel free to contact me. Connect with me on Twitter @manash036.