Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session fixation vulnerability in /verify #147

Closed
Arinerron opened this issue Mar 29, 2020 · 0 comments · Fixed by #156
Closed

Session fixation vulnerability in /verify #147

Arinerron opened this issue Mar 29, 2020 · 0 comments · Fixed by #156
Assignees
Labels
bug Something isn't working

Comments

@Arinerron
Copy link
Member

Arinerron commented Mar 29, 2020

Description

There is a session fixation vulnerability in rCTF exploitable through the #token=$ssid hash when making a request to the /verify endpoint.

Vulnerable code

 document.title = 'Verify' + config.ctfTitle

    const prefix = '#token='
    if (document.location.hash.startsWith(prefix)) {
      route('/verify', true)

      const verifyToken = document.location.hash.substring(prefix.length)

      verify({ verifyToken })
        .then(errors => {
          this.setState({
            errors
          })
        })
    }

Exploitation Scenario

An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims.

Reproduction Steps

  1. Create two teams: an attacker, and a victim. Sign into the victim's account.
  2. Make an HTTP request to /verify#hash=$ssid where $ssid is the attacker's team code.
  3. Observe that you have been logged in as the attacker.

Extra Details

Commit that introduced the vulnerability

1f91230#diff-95a87eb07806dffb6d81c2ffdd27f8f5R16-R32

Potential solution

Instead of having the verification email link immediately sign users in, have it be purely for confirmation purposes. After opening the verification link and verifying the email address, the original registration page--which is polling the server for updates--would receive word that the email is verified. It would then log in without requiring a session ID from user input.

@Arinerron Arinerron added the bug Something isn't working label Mar 29, 2020
@Arinerron Arinerron added this to the Initial Release milestone Mar 29, 2020
@Arinerron Arinerron added this to To do in Backend via automation Mar 29, 2020
@Arinerron Arinerron added this to to-do in Frontend via automation Mar 29, 2020
@ethanwu10 ethanwu10 moved this from To do to Done in Backend Apr 15, 2020
@chen-robert chen-robert moved this from to-do to done in Frontend Apr 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Backend
  
Done
Frontend
  
done
Development

Successfully merging a pull request may close this issue.

4 participants