Comments (2)
threatLevel="Moderate" type="Information Leak"
The server uses authentication tokens to grant a user access to a resource.
Example request with authentication token "5a29a471f3b21be11928361f5c42aeabf0c5cd8f":
GET /v1/user/emails HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Referer: https://surf-dev2.edubadges.nl/profile/profile
Origin: https://surf-dev2.edubadges.nl
Connection: close
The authentication token is sent in the following GET requests:
https://oidc.connect.surfconext.nl/authorize?scope=openid&state=connect-5a29a471f3b21be11928361f5c42aeabf0c5cd8f-1&redirect_uri=https%3A%2F%2Fbadgr-dev2.edubadges.nl%2Faccount%2Fopenid%2Flogin%2Fcallback%2F&response_type=code&client_id=https%40%2F%2Fsurf-dev2.edubadges.nl
https://badgr-dev2.edubadges.nl/account/sociallogin?provider=surf_conext&authToken=5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Sensitive information within URLs may be logged in various locations
(including the browser), the web server, and any forward or reverse proxy
servers between the two endpoints. URLs may also be displayed on-screen,
bookmarked or emailed around by users. They may be disclosed to third
parties via the Referer header when any off-site links are followed.
impact:
Authentication tokens allow an attacker unfettered access to the application as the
logged-in user.
Recommendation
When authentication tokens need to be sent using other means than cookies, use an
alternative mechanism, e.g. sending tokens in hidden form fields using the
POST method.
from audit.
Did you configure your badgr-server to run in "Public" mode instead of "Confidential" mode on your SSO provider's applicaiton configuration system? Or perhaps it should just be upgraded to make more secure options available to you. Ideally with a Authorization Code OAuth grant type the system sends a short-term access "code" in the query parameter that is then exchanged for a longer term token with potential refreshability over a secure connection.
from audit.
Related Issues (20)
- Missing Terms of Service and Privacy Policy HOT 2
- SSL Medium and RC4 Ciphers supported HOT 1
- Frameable response (potential Clickjacking) HOT 1
- Use any e-mail-address as the issuers address. HOT 4
- Hardcoded Unsubscribe token in settings.py HOT 3
- ResizeUploadedImage possible server and client-side Resource Exhaustion Vulnerability HOT 1
- Upload files with arbitrary extensions to publicly accessible URL HOT 1
- Enumeration of user ids in API endpoint BadgeUserEmailDetail HOT 2
- Timing-side channel in API helps testing if an email address is registered
- Admin can delete protected items on the admin UI HOT 1
- JWT signed badges signatures can be forged HOT 7
- Unhandled Division by Zero HOT 1
- untrusted XML parsed with xml.dom.minidom.parseString HOT 1
- Badge Check can be fooled by forged badges using unicode domain names HOT 1
- Arbitrary file upload with arbitrary file-extensions in images of badges. HOT 1
- Pathway*list can be created by anyone with a registered email HOT 1
- XSS code injection via Composition Collection share_url HOT 2
- Enumeration of registered email addresses via user profile API HOT 2
- Development and deprecated modules unconditionally enabled HOT 1
- The Add Url Option of the Assign Badge functionality Allows All Urls HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit.