Alright folks, I’m currently trying to figure out a bug within the context of a BBP. I’m kind of stumped on what to try next so I’m coming here for some help hoping I can get a fresh set of eyes and ideas. Do note though that I will not be disclosing exactly what program due to bounty reasons if it does lead to a vulnerability. So here’s what’s going on.
I was searching for APIs and I found a couple. I started testing them and discovered that the server’s handling of authentication tokens is a little buggy (OAuth 2.0 protocol, using opaque tokens). The APIs check the auth tokens provided in the HTTP request against the authorization server before continuing anything else. I’ve discovered that if you alter the auth token in a specific way, it won’t throw back your standard “user not found” error. Instead, it does not like that one bit and just outright causes a 500 internal server error. It doesn’t handle it gracefully at all.
I tested this across multiple APIs (multiple subdomains) and the results were consistent. On most of them, if you delete part of the token up to a specific point, it will fail with a 500 error. On some of them, if you added an “=“ to that specific portion of the token it will also throw a 500 without removing anything. I even tested it when accessing an API that was on the authorization server itself and the 500 error occurred. However, I tested it on one of their newer APIs and it only ever returned with “user not found” when changing the token. I’ve tried throwing in some SQLi/command injection payloads just to test it to see what happens but nothing came of it.
I can’t really tell much about the token and whether there is a specific format to it, it’s not a JWT or anything, it’s opaque so it’s just a random string. All I can tell is every token has a static 5 letter identifier at the beginning that never changes among the tokens. Also the exceptions are generic and don’t really disclose any information. The only information I’ve got from the internal server error messing with one of the APIs was a “Request failed” message indicating that they use Jersey along with a servlet container ID. Just for reference, the server runs on Nginx-Clojure and the headers in the responses say it’s powered by Jetty.
I’ve tried basically everything I’ve learned so far. It’s black-box testing so I don’t have access to server logs that would help identify the issue. So I want some more ideas on what I can try in order to figure out what this thing is doing because I’m stumped as to what to do from here. I want to know what you would do from this point so I can kind of learn from other peoples’ perspective and experiences as well.
[link] [comments]
from hacking: security in practice https://ift.tt/Io7YtSK
Comments
Post a Comment