Skip to content

Latest commit

 

History

History
144 lines (93 loc) · 5.41 KB

File metadata and controls

144 lines (93 loc) · 5.41 KB

Saidajaula Monster Fit

Saidajaula Monstro Fit is a Flask API built to demonstrate how a malicious user could exploit a Broken Authentication vulnerability and escalate his privileges.

Index

What is Broken Authentication?

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

The main goal of this app is to discuss how Broken Authentication vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.

Setup

To start this intentionally insecure application, you will need Docker and Docker Compose. After forking secDevLabs, you must type the following commands to start:

cd secDevLabs/owasp-top10-2017-apps/a2/saidajaula-monster
make install

Then simply visit localhost:10082 ! 😆

Get to know the app 🏋️‍

To properly understand how this application works, you can follow these simple steps:

  • Visit its homepage!
  • Try registering yourself as a new user.

Attack narrative

Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜

👀

Insecure session cookie validation allows for privilege escalation

It's possible to reach the server's web application through the HTTP port 10082, as we can see from the image below:

We can sign-up for a new account by clicking the SIGN UP button on the top right corner. Then, we are redirected to the /register page. As shown by the image below:

After creating an account, we are redirected to the /login page and, to better understand how the application is handling the requests, we will perform login using the following curl command. As shown by the image:

curl -i -L localhost:10082/login -F "username=daniel" -F "password=daniel" -X POST

As we can see from the image above, the application sets a cookie for the user, sessionId. By having a better look at this cookie, we find out that it is base64 encoded, and it's content are as follows:

Now, by having a look at the app's code, it's possible to see that all the information to generate this cookie is known to any user, as shown by the following image:

🔥

Knowing how the cookie is being generated, a malicious user could create his own to gain access to pages he shouldn't have. An attacker could obtain admin privileges by changing the cookie's permission field, as depicted by the image below:

It is also possible to generate this cookie from terminal using shasum command:

echo -n '{"permissao": 1, "username": "daniel"}' | shasum -a 256

After that, the attacker needs to concatenate the cookie's fields and the hash, separated by a dot. As shown by the following image:

The server expects the cookie to be in base64 format, so the attacker needs to encode his cookie. As we can see from the image below using the command:

echo -n '{"permissao": 1, "username": "daniel"}.35771d6998cf216aa3297d1fb54462e04d85443be6092a02961b52b24c2d3250' | base64

Now, all an attacker needs to do is try to access the /admin only page. As shown by the image below:

curl -v --cookie "sessionId=eyJwZXJtaXNzYW8iOiAxLCAidXNlcm5hbWUiOiAiZGFuaWVsIn0uMzU3NzFkNjk5OGNmMjE2YWEzMjk3ZDFmYjU0NDYyZTA0ZDg1NDQzYmU2MDkyYTAyOTYxYjUyYjI0YzJkMzI1MA==" http://localhost:10082/admin

Secure this app

How would you mitigate this vulnerability? After your changes, an attacker should not be able to:

  • Log in as admin or any other user, rather than himself, by modifying the session cookie.

PR solutions

[Spoiler alert 🚨 ] To understand how this vulnerability can be mitigated, check out these pull requests!

Contributing

We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉