Skip to main content

Hacking Thick Clients – Authorization Bypass

Hello Readers,

This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann and he is writing the walk-through series.

Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post.

All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here. Let's start.

Setting up Betafast -
1. Download the files from github - .
2. Extract and open the .sln file with Visual Studio
3. Look for App.config
4. Edit the App.config file's baseUri key value as as shown in the screenshot below-
5. Click on Build -
6. Install docker desktop for Windows from here.
7. You need to enable Hyper-V for running docker-desktop. Following command can be run as administrator and a restart is required to run docker-desktop.
 To enable:
      bcdedit /set hypervisorlaunchtype auto
To disable:
      bcdedit /set hypervisorlaunchtype off
8. Navigate to the docker folder of Betafast and open powershell.
9. To launch the servers, use the following commands in the same directory as docker-compose.yml: 
docker-compose build 
docker-compose up 

10. Now let's make the following entry in windows host file - 

11. In order to intercept the request from application we would be setting up a system proxy as shown below -

12. Configure Burpsuite proxy listener to the same and let's start with finding the vulnerability.

Finding the Vulnerability -

Step 1: Click on 'Create Account' to register a new low privileged user -

Step 2: Register using some credentials -

Step 3: Login and check HTTP History and we will see an interesting request is made to confirm if the following user is admin or not -

Step 4: Before tampering the response, let's explore the user panel and you can see the below screenshot has limited no. of tabs and functionality -

Step 5: Now logout and login again while keeping the intercept on in order to change the response in the fly -
Change response from 'false' to 'true' -

Step 5: We would be able to access to Admin functions that are available in the application -

Step 6: Let's add an admin user to confirm if we really can perform admin actions from low privileged user -

Conclusion : We were able to bypass the access control mechanism and access admin dashboard to perform unauthorized actions from a low privileged account.
Thanks for reading. You can read more about access control bypass from here.


  1. This is highly informatics, crisp and clear. I think that everything has been described in systematic manner so that reader could get maximum information and learn many things. Vulnerabilty


Post a Comment

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course - Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu

Exit Shellcode x86

Exit in Assembly : For writing exit assembly program we need to check exit syscall reference number . I use this online man page : / From above we can conclude that for exit system call we need 2 registers : [x] EAX => Eax should contain exit sys call number (0x01) [x] EBX => Ebx should contain  error code (0 for normal exit) A good shell-code : [x] Should be Null free [x] Smaller in length [x] Position Independent Below is my code : I wrote a small script to compile and assemble nasm program and extract the shellcode from it then saving the shellcode into a c file and compiling the new c program. Here is my script : Tweaked some instructions :p Next you can debug and check the execution in gdb by setting breakpoints and stepping instructions one by one . Below is my gdb console before calling interrupt int 0x80 showing the value of eax and ebx as expected :)