Saidajaula Monstro Fit is a Flask API built with the purpouse of demonstrating how a malicious user could exploit a Broken Authentication vulnerability and escalate his priviledges.
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
The main goal of this app is to discuss how Broken Authentication vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.
To start this intentionally insecure application, you will need Docker and Docker Compose. After forking secDevLabs, you must type the following commands to start:
cd secDevLabs/owasp-top10-2017-apps/a2/saidajaula-monster
make install
Then simply visit localhost:10082 ! 😆
To properly understand how this application works, you can follow these simple steps:
- Visit it's homepage!
- Try registering yourself as a new user.
Now that you know the purpose of this app, what could possibly go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or it's users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜
It's possible to reach the server's web application through the HTTP port 10082, as we can see from the image below:
We can sign-up for a new account by clicking the SIGN UP
button on the top right corner. Then, we are redirected to the /register
page. As shown by the image below:
After creating an account, we are redirected to the /login
page and, to better understand how the application is handling the requests, we will perform a login using the following curl
command. As shown by the image:
curl -i -L localhost:10082/login -F "username=daniel" -F "password=daniel" -X POST
As we can see from the image above, the application sets a cookie for the user, sessionId
. By having a better look at this cookie, we find out that it is actually base64 encoded, and it's content are as following:
Now, by having a look at the app's code, it's possible to see that all the information to generate this cookie is known to any user, as shown by the following image:
Knowing how the cookie is being generated, a malicious user could create his own to gain access to pages he shouldn't have. An attacker could obtain admin privileges by changing the cookie's permission
field, as depicted by the image below:
It is also possible to generate this cookie from terminal using shasum
command:
echo -n '{"permissao": 1, "username": "daniel"}' | shasum -a 256
After that, the attacker needs to concatenate the cookie's fields and the hash, separated by a dot. As shown by the following image:
The server expects the cookie to be in base64 format, so the attacker needs to encode his cookie. As we can see from the image below using the command:
echo -n '{"permissao": 1, "username": "daniel"}.35771d6998cf216aa3297d1fb54462e04d85443be6092a02961b52b24c2d3250' | base64
Now, all an attacker needs to do is try to access the /admin
only page. As shown by the image below:
curl -v --cookie "sessionId=eyJwZXJtaXNzYW8iOiAxLCAidXNlcm5hbWUiOiAiZGFuaWVsIn0uMzU3NzFkNjk5OGNmMjE2YWEzMjk3ZDFmYjU0NDYyZTA0ZDg1NDQzYmU2MDkyYTAyOTYxYjUyYjI0YzJkMzI1MA==" http://localhost:10082/admin
How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
- Log in as admin or any other user, rather than himself, by modifying the session cookie.
[Spoiler alert 🚨 ] To understand how this vulnerability can be mitigated, check out these pull requests!
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉