Bypassing Basic Authentication

HTB Content
1

Hello all, I am currently doing the Web Attacks module, section Bypassing Basic Authentication. When I check the type of requests accepted by the server with the following command (as suggested by the write-up)

curl -i -X OPTIONS http://94.237.59.206:30034/

I get no info on allowed requests (please see screen-shot)

Screenshot from 2023-09-22 10-22-24
Screenshot from 2023-09-22 10-22-241920×875 88.3 KB

When in Burp I change the GET request, with a POST one, as expected I get the pop-up window asking me for credentials, but when I replace the GET request with a HEAD request, I get an empty blank page (I’m sorry, system prevents me from uploading another screen-shot)
Then I closed the browser, reopened it again, and accessed the page and I got the flag

Could you please help me understand what is happening here? Thank you in advance

1 Like
2

aight first of all lets understand the -X OPTIONS request first, am not entirely sure but most definitely its implementation specific not apache configs in ur scenario. lets explain each of em

  1. implementation: the developer might use a wildcard on UNIMPLEMENTED methods (defaulting them to GET method)
  2. apache settings: I forgot what the exact setting is called but am sure u can make apache match unimplemented methods to whatever u want it to be, and u can also tell apache to let u handle methods as u wish. its called Custom Handling Method or smth around that.

In ur case, the OPTIONS returns a GET or u could say magically changed to GET cuz the backend is written to redirect anything unimplemented to a GET

Also if u look at it from OpSec pov, exposing what methods is accepted do u no good, eg, u certainly dont wanna let everyone know the TRACE, CONNECT methods are available, so best redirect any OPTIONS type request to GET on some random endpoint.

And finally why ur HEAD returns an empty white page? well cuz thats how its supposed to work, HEAD only returns the HEADERS of the request, nothing else… not even html or errors, content-type is always 0: u only got the skeleton HEADERS, and ofcourse in the absence of HTML and nothing the browser to display u got an empty blank page.

I’ll recommend taking some time and read through this: HTTP request methods - HTTP | MDN

3

Great but that doesn’t help you? We agree ^^ Here is my little clue, your request must be made from your index.php page and look no further, it remains a GET ^^ Come pv I will give you more information if necessary discord: indra8096

4

I am having the same issue. No luck getting help either.