Bypass Apple Corp SSO on Apple Admin Panel ($6000 USD)

We discussed this vulnerability during Episode 139 on 25 April 2022

Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.

In this case we have the apple domain https://rampadmin.apple.com. All endpoints on this domain were protected by Apple’s single sign-on serivce except the /healthcheck endpoint. It appears that this login process was enforced by a front-end reverse proxy server that would either redirect to the login if they were not logged in, or proxy the request to the desired endpoint if they were. There was a difference in how the reverse proxy and the target server handled ..;/in the path however.

So by providing a request to a domain like /healthcheck/..;/some/real/endpoint the request would pass through the login check thinking its a request destined for the healthcheck, but then the application server would perform the directory traversal and serve up the real endpoint’s content.