The Story Of How I Bypass SSO Login
I decided to tell you my stories about offensive security. This is the first story I share on my blog. Hope it will be a good start. In these stories, of course, I can not give the company names but I will tell you how it happened and I will use sometimes example pictures or censured pictures.
I found this bug in the Hackerone platform. I chose one target and started with the first step.
Always my first step is copying the whole domain addresses from the target page and pasting it to the txt file for my bash script. For more understanding, you may check the script from here: https://github.com/zer0da/subEnum
While the bash doing his job, I started to investigate the company as usual. What their jobs are, which technologies they are using etc.
After the bash had done his job, all the subdomains were found and written to the new txt file. After then I always start my python script to parse reachable subdomains. For more understanding, you may check the script from here: https://github.com/zer0da/SubChecker
Then I started to check subdomains to detect any unusual thing. Hacking sometimes requires some Spidey Sense to find that hole. On one page, I saw that the page requires SSO login but before that, for 1 millisecond I was able to see the page behind it.
I think that was a logical issue on the website. So, I started to examine from the burp proxy.
First I tried to change methods like GET to POST, TRACE, etc.
But it didn’t work.
Hımmm I should think in a different way.
I opened another path of the website and copied its response which returns 200 OK and reachable. Then I intercepted the SSO login page response.
After then I paste copied response to this response and forward it.
The page was reachable by me and I shouldn’t have access. Bug found.