Breaking path normalisation has been my biggest interest in the past couple of years. Let me explain exactly why I have chosen to invest time in this attack vector, and how to exploit it. Firstly, let me introduce myself, my name is Blake, and I’m a part-time software engineer at Pentesterlab, an SRT member for Synack and a pentester for Cobalt.
Why Did I Invest Time In Path Normalisation?
Path normalization is one of those hit-and-miss vulnerabilities but in order to exploit it, it requires pure logical thinking. There are no real patterns to look for like XSS or other types of attacks where the payload is reflected, It’s just trial and error looking for nuances, and differences in the response. The post-adrenaline rush, once you hit something internal, is absolutely orgasmic; not just that, it generally always has a solid impact when you hit an internal path, think about it they are hiding these internal services/APIs because they don’t want the public to see the sensitive information, so they implement reverse proxy’s to shut them off from the public.
What is Path Normalization?
Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target operating system. Normalization typically involves Canonicalizing components and directory separators.
Developers use this when they are writing reverse proxy rules to block certain internal paths from being passed through and upstreamed to internal services. This is what we are breaking, it involves path traversals and other bypass techniques.
Note: Don’t be confused with LFI though, were not accessing internal files, were accessing internal paths.
Here is a picture of a valid attack:
What Impact Can We Achieve?
Impact for path normalization can be a range of things such as:
- Sensitive information leaks
- Access to Internal Services like JBoss EAP, Tomcat, AEM and APIS + more
- Some even have RCE by design.
- Some allow you to write to the API for higher impact.
The impact is very high in most cases.
What tools do I use?
I keep it simple, KISS (Keep It Stupid Simple)
- chrome dev tools
- Assetnote Wordlists
As I said, it requires pure logic to find these vulns. 🧠
What Did The Crypto Hack Look Like?
Okay, enough of the technical side of things, let’s talk about my hack and what the massive impact was. Before I get into details, the bug can not be disclosed at the moment, so everything will be redacted.
I started off using chrome dev tools and was looking through the XHR requests and Documents, I noticed there was not much there so I decided to open up burp and start crawling the in-scope assets. I generally test all paths with my pre-build wordlist and my brain, I noticed in one path I hit the internal root API, performed directory brute-forcing and could access the User Center API.
This did not provide much impact, so I continued testing other paths.
FYI: Every path may contain a different backend service/API to access, the external attack surface is much higher with these types of attacks.
Upon investigation, I found another path, so I performed my usual tests with a combination of traversing and directory bruteforcing and I could access the Internal Admin Balance API which leaked admin funds and I could perform various admin functions like:
- Withdrawl Funds
- View Token History
- View Balance
This had some solid impact, if this was not reported on time the potential disaster is very high, if a malicious hacker found this before I did, they could clean out his account and send the company broke. I reported it 2 days later, It got triaged and fixed within 1 day and they paid me $9,000USD which is about $12,000 in my currency.
If you are interested in learning this attack vector and want to find some yourself, you can pre-register to join the waiting list for my Recon as a Service platform which will find these types of vulnerabilities for you with guided instructions and tutorials to learn this attack.
I hope you enjoyed this story, feel free to follow me on Twitter and clap to this story, until next time.