api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

Security vulnerability: Possible to Remove Captcha Challenge from Change Password Request

Open zhamadagithub opened this issue 1 year ago • 3 comments

Every bug report should have precise description and reproduction steps; console traces or source code references are appreciated.

For assistance requests, contact Azure support or submit a post on Stack Overflow. We don't provide support through GitHub Issues. Feature requests can be raised on the Azure Feedback Forum.

Bug description

Possible to Remove Captcha Challenge from Change Password Request

Reproduction steps

While testing the password change function, I noticed that it was possible to remove the Captcha Challenge portion of the parameters in a POST request to https://api-intance.../change-password. This allows a user to bypass the captcha requirement when changing their password. This protection was put in place to help prevent brute force type attacks since password changes represent a significant risk area for the application.

Expected behavior

This Captcha Challenge Bypass vulnerability allows a malicious user to bypass the Captcha Challenge requirement when changing their password. This can be accomplished by simply removing the Captcha Challenge portion of the parameters in a POST request to https://api-portal.nyc.gov/change-password. This protection was put in place to help prevent brute force type attacks since password changes represent a significant risk area for the application, which could impact the Integrity of the password data in the application and the availability of the password change function since brute force attacks are possible.

Is your portal managed or self-hosted?

Managed

Environment

  • Azure APIM

Additional context

There should be a check for the required Captcha Challenge fields in the password change POST. This would prevent users from simply removing the Challenge parameters and sending the POST request in without them. Doing so allows a user to bypass the attempting rate limiting control that the application is attempting to enforce for the password change function.

For more information on password reset vulnerabilities, please see the following pages:

  • https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities
  • https://cwe.mitre.org/data/definitions/640.html

zhamadagithub avatar Jul 23 '23 02:07 zhamadagithub