alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	302	Assigned	Broken Access Control allows user to read backup relate...	b8192051	Task Description Actual Issue: A user that does not have backup permissions is still able to access backup-related task and log details by replaying previously captured requests. The following endpoints return backup-related information even after the user’s backup permission has been removed: GET /task/<id>/detail/ HTTP/2 Host: admin.alwaysdata.com GET /log/<id>/detail/ HTTP/2 Host: admin.alwaysdata.com Since backup access is denied, the user should not be able to access any backup-related task or log information. Steps To Reproduce Navigate to https://www.alwaysdata.com/en/register/ and create two accounts: accountA@gmail.com accountB@gmail.com Login to accountA@gmail.com Invite accountB@gmail.com and initially grant it full access (this is to make capturing the request easier). Login to accountB@gmail.com Navigate to: Advanced → Backup Recovery Fill in the necessary details and submit the form while proxying the traffic through Burp Suite. In Burp, identify the requests sent to the following endpoints: /task/<id>/detail/ /log/<id>/detail/ Now, to demontrate the actual vuln, Now go back to accountA@gmail.com Navigate to Permissions → Account Permissions. Under the All permissions account section, grant all permissions except the backups permission Confirm that accountB@gmail.com no longer has access to backup functionality from the UI. Go back to Burp Suite and replay the previously captured requests to verify that accountB@gmail.com can still access the backup information. Security Impact. Since the id's are sequential and id's for account that the attacker does not belong to return 404, the attacker can occasionally run brute force attacks to access the backup information of all backups even though they do not have access to it. This breaks the expected permission model, since once backup access is revoked, the user should not be able to retrieve any backup-related information. Additional Notes I searched everywhere for alternative ways to access the /log/<id>/detail/ and /task/<id>/detail/ endpoints since they appear to be generic log and task related endpoints which attacker has access to but could not find it. This clearly indicates that these endpoints are tied to the backup operation workflow, and a user without backup permissions should not have access to them.
	~~301~~	Closed	~~I found a broken access control that allows users to re~~ ...	b8192051	Task Description Steps to reproduce: Navigate to https://www.alwaysdata.com/en/register/ and create 2 accounts, accountA@gmail.com, accountB@gmail.com In accountA@gmail.com, invite accountB@gmail.com and grant it all access(this is so that we can capture the request to make testing easy.) Login to accountB@gmail.com, click on advanced → backup recovery, fille in the necessary details and submit while proxying the traffic through burp. In burp, identify the traffic to these endpoints and intercept.

Assigned

Broken Access Control allows user to read backup relate...

b8192051

Task Description

Actual Issue:

A user that does not have backup permissions is still able to access backup-related task and log details by replaying previously captured requests.

The following endpoints return backup-related information even after the user’s backup permission has been removed:

GET /task/<id>/detail/ HTTP/2
Host: admin.alwaysdata.com

GET /log/<id>/detail/ HTTP/2
Host: admin.alwaysdata.com

Since backup access is denied, the user should not be able to access any backup-related task or log information.

Steps To Reproduce

Navigate to https://www.alwaysdata.com/en/register/

and create two accounts:

accountA@gmail.com

accountB@gmail.com

Invite accountB@gmail.com

and initially grant it full access (this is to make capturing the request easier).

Navigate to:

Advanced → Backup Recovery

Fill in the necessary details and submit the form while proxying the traffic through Burp Suite.

In Burp, identify the requests sent to the following endpoints:

/task/<id>/detail/

/log/<id>/detail/

Now, to demontrate the actual vuln,

Now go back to accountA@gmail.com

Navigate to Permissions → Account Permissions.

Under the All permissions account section, grant all permissions except the backups permission

Confirm that accountB@gmail.com

no longer has access to backup functionality from the UI.

Go back to Burp Suite and replay the previously captured requests to verify that accountB@gmail.com can still access the backup information.

Security Impact.

Since the id's are sequential and id's for account that the attacker does not belong to return 404, the attacker can occasionally run brute force attacks to access the backup information of all backups even though they do not have access to it.

This breaks the expected permission model, since once backup access is revoked, the user should not be able to retrieve any backup-related information.

Additional Notes

I searched everywhere for alternative ways to access the /log/<id>/detail/ and /task/<id>/detail/ endpoints since they appear to be generic log and task related endpoints which attacker has access to but could not find it.

This clearly indicates that these endpoints are tied to the backup operation workflow, and a user without backup permissions should not have access to them.

~~301~~

Closed

~~I found a broken access control that allows users to re~~ ...

b8192051

Task Description

Steps to reproduce:

Navigate to https://www.alwaysdata.com/en/register/ and create 2 accounts, accountA@gmail.com, accountB@gmail.com

In accountA@gmail.com, invite accountB@gmail.com and grant it all access(this is so that we can capture the request to make testing easy.)

Login to accountB@gmail.com, click on advanced → backup recovery, fille in the necessary details and submit while proxying the traffic through burp.

In burp, identify the traffic to these endpoints and intercept.

Showing tasks 1 - 2 of 2 Page 1 of 1

All Projects

Steps To Reproduce

Security Impact.

Additional Notes

Available keyboard shortcuts

Tasklist

Task Details

Task Editing