Mutillidae - User-Agent Impersonation

Mutillidae – User-Agent Impersonation

In this walk through, we will be going through the User-Agent Impersonation vulnerability section from Mutillidae Labs. We will be exploring and performing User-Agent Impersonation with User Agent Switcher and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

User-Agent Impersonation

Security Level: 0 (Hosed)

  • Setting the security level to 0 or Hosed.

Security level 0

  • In this challenge, the application is authorizing the user on the basis of his browser information with the help of User-Agent. It expects a user with iPad on Safari Browser.

Browser Fingerprint

  • I used User-Agent switcher on mozilla and changed the user-agent to that of iPad.

User Agent Switcher

  • However it didn’t worked even now.

Unable to spoof properly

  • Upon checking the source code found out that the application is checking the platform field for “iPad”. Dig something on this however was unable to come up any way to edit it.

Page source code

  • Next, i intercepted the request and Then intercept the response by right clicking -> Do intercept – Response of this request.

Burpsuite intercept

  • Changed the iPad value to iOS in the response and forward the request. We are not authorized to view the page.

iPad required useragent check

iPad required useragent check

Bypassed successfully

Also Read: Mutillidae – Sqlmap Practice (View Blogs)

Conclusion:

Conclusion

So, we finally completed all the security levels for the Mutillidae User-Agent Impersonation Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential User-Agent Impersonation attacks by solely not relying on client side controls like User Agent for allowing access to the resource on the web server. Developers can create required server side checks and proper authentication mechanisms in order to prevent these types of attacks. On that note, i will take your leave and will meet you in next one with another Mutillidae vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top