Bypass Apple Corp SSO on Apple Admin Panel ($6000 USD)
Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.
In this case we have the apple domain https://rampadmin.apple.com
. All endpoints on this domain were protected by Apple’s single sign-on serivce except the /healthcheck
endpoint. It appears that this login process was enforced by a front-end reverse proxy server that would either redirect to the login if they were not logged in, or proxy the request to the desired endpoint if they were. There was a difference in how the reverse proxy and the target server handled ..;/
in the path however.
So by providing a request to a domain like /healthcheck/..;/some/real/endpoint
the request would pass through the login check thinking its a request destined for the healthcheck, but then the application server would perform the directory traversal and serve up the real endpoint’s content.