Lab 210 — RouteMesh — Broken Auth via Trusted Gateway Headers

hackadvisor

Task: Express.js API gateway dashboard behind nginx trusts X-Gateway-Role header for authorization without stripping it from external requests. Solution: Inject X-Gateway-Role: admin header to escalate from viewer to admin and access the secrets panel containing the flag.

nginx express privilege_escalation broken_access_control honeypot_decoy rbac_bypass api_gateway gateway_header_injection x_gateway_role header_spoofing

decoy_flag_avoidanceinternal_gateway_header_spoofingprivilege_escalation_via_trusted_headerapi_documentation_enumeration

$ ls tags/ techniques/

nginx express privilege_escalation broken_access_control honeypot_decoy rbac_bypass api_gateway gateway_header_injection x_gateway_role header_spoofing

decoy_flag_avoidanceinternal_gateway_header_spoofingprivilege_escalation_via_trusted_headerapi_documentation_enumeration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor
[web][Pro]Lab 190 — ApiNexus — Proxy Access Control Bypass via URL Path Normalization— hackadvisor
[web][Pro]Lab 218 — InsightDash — Web Cache Deception via URL Parser Discrepancy— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor
[web][Pro]Lab 113 — CloudNest— hackadvisor