Laravel auth:api insecurity

2017.09.26
ir MaHDyfo (IR) ir
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Laravel auth:api insecurity # Date: 26-09-2017 # Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com) # Vendor Homepage: laravel.com # Versions: all until now Laravel uses passport for api authentication but it also has an internal auth mechanism. The default auth:api is not that secure and needs some modifications. You can exploit such system if there's an sqli vuln in any other pages of the site. If anybody can read the database caused by any reason, he can login to any user account including admins. You may say ok if there is an sqli, the hacker got everything. But no! it's not correct you lose nothing technically if the hacker only reads the db. I first tell how to use auth:api. For using default auth for api, you should add "api_token" column to the "users" table. Then apply "auth:api" middleware in routes. Now you can generate a random string (for example using "str_random()" helper) and add that string to api_token column of a specific user. After all, there are several methods for authentication like header "Bearer $token" and etc. Let's dig deeper now. In login process you generate random string and put it in database. Well, you put the exact same string in the request! here's the problem. These two values should not be the same. In the class "Illuminate\Auth\TokenGuard" you see this method: public function getTokenForRequest() { $token = $this->request->query($this->inputKey); if (empty($token)) { $token = $this->request->input($this->inputKey); } if (empty($token)) { $token = $this->request->bearerToken(); } if (empty($token)) { $token = $this->request->getPassword(); } return $token; } It gets the token from the user and see if there's any token matching that in db. How to secure it: In your login or register method, you can make an md5 of the token, store it in db and save/echo the original token for the client. Then in each request, get the token and make an md5 of it. This way, if the database is leaked or disclosed by any reason, nobody can hack into the user or admin accounts. The way of doing this is just change this line of above code: return $token; To this: return md5($token); This insecurity was in wordpress password reset some years ago and they fixed it. Regards, Mahdi Iran


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top