Securin Zero-Days

Authentication Bypass: Try Accessing the URL in which the regular user has no longer access without credentials with auth token value as “ok” and HTTP Basic Authentication header with password value.

Improper Session Management: Create a fake Session ID and submit the request to the server with the credentials. At the same time, you can see that the session id has no change even after getting logged-in and during the logout process.

Figure 01: Session id created by an attacker before login.

Figure 02: Attacker Session id is not changed even after login.

Figure 3: Session id remains the same, even after logging out from the current session.

Figure 04: Back button history of the accessed router after logging out.

Figure 05: auth token is set to “ok” once after logging into the router. But we could not access any pages just by pressing the back button after logging out.

Figure 06: Changing the auth token value from “ok” to “nok” and removing extra session tokens gives access to the unauthorized page with the same session id created by an attacker.

Figure 07: Authentication logic is bypassed, and an attacker can access any pages inside login without credentials.