report icon indicating copy to clipboard operation
report copied to clipboard

Published 20 hours ago verified publisher icon anji-plus

Authentication Bypass vulnerability

Open S2eTo opened this issue 2 years ago • 0 comments

这是英文的漏洞报告,中文的在(This is the English report, the Chinese report is in): 身份验证绕过漏洞

Description

The program uses a fixed JWT key, and the stored Redis key uses username format characters. Any user who has logged in within an hour. JWT Token can be forged with his username to bypass authentication

Login API

com.anjiplus.template.gaea.business.modules.accessuser.controller.AccessUserController#login

image-20221015111709407

Make redis key of format username, Although uuid is used, uuid is not involved in authentication.

com.anjiplus.template.gaea.business.modules.accessuser.service.impl.AccessUserServiceImpl#login

com.anjiplus.template.gaea.business.constant.BusinessConstant#GAEA_SECURITY_LOGIN_TOKEN

image-20221015112014779

Uses a fixed JWT secret key

spring-boot-gaea-2.0.5.RELEASE.jar!com.anji.plus.gaea.utils.JwtBean#createToken

spring-boot-gaea-2.0.5.RELEASE.jar!com.anji.plus.gaea.GaeaProperties.Security#getJwtSecret

image-20221015112804990

TokenFilter for authentication

com.anjiplus.template.gaea.business.filter.TokenFilter#doFilter

image-20221015113222257

Forge different users' Tokens by modifying the username field

{
    "type": 0,
    "uuid": "",
    "tenant": "tenantCode",
    "username": "admin"
}

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjowLCJ1dWlkIjoiIiwidGVuYW50IjoidGVuYW50Q29kZSIsInVzZXJuYW1lIjoiYWRtaW4ifQ.ce3xqqUypEinA_ZCSky9AptKjkG8qFm8ESMuCunqe6Y

image-20221015122659078

S2eTo avatar Oct 15 '22 04:10 S2eTo