How I got Access to Auth0 Management API !!
2023-10-30 03:1:35 Author: infosecwriteups.com(查看原文) 阅读量:11 收藏

Tarun Koyalwar

InfoSec Write-ups

Recently, while hunting on a private bug bounty program I got full API Access to target’s Auth0 Management API. This was my first comeback vuln/bounty after taking a pause from Bug Bounty Hunting.

Let’s get Started without furthur ado

Target was a staging env for which I had some credentials assigned. Let’s assume the target was `stage.application.hunt`. It was a basic SPA built using React and the backend I believe is NodeJS

The very first thing I did after I was invited to program was

  • Reset Email and get password and Login
  • Select Target -> Scan -> Crawl in burp suite
  • click every button I could find on the website
Tap Every Button and visit all pages

After tapping all the buttons and visiting every page in the application I switched to burpsuite to analyze traffic. After some dead ends, I found a `PATCH` request to `/api/path/data` and it had language preference in the request body as shown in the below image

Update Language Preference Request

I tried some basic fuzzing on this endpoint by which I mean

  • Fuzzing Request Methods
  • Sending Invalid JSON
  • Changing Content-Type’s
  • Host, Origin Fuzzing etc

and every time I got a `500 Internal Server Error ` 😞 just like the below image

Internal Server Error

As I was about to move to other endpoints as final attempt i tried empty JSON string `{}` and it returned an error message 👀

500 Status Code with Error Message

After properly formatting the error i saw that it contained an Authorization Header with `Bearer eyJxxxx`. It also contained an address to which the request was being sent and that would be `https://application.us.auth0.com/api/v2/users/auth0|652xx` Searching this endpoint on Google led me to auth0 management API docs more specifically https://auth0.com/docs/api/management/v2/users/patch-users-by-id. After entering the token in the docs page it showed all permissions available to that token.

Permissions

I tried fetching user data and other endpoints like listing users, applications, updating users etc and everything worked. Even though it was a staging application it had around ~300 users in it most of them being [email protected] emails.

I immediately recorded a POC Video using OBS and wrote a simple explanation and submitted the report. The Triage Team accepted the report after 1–1/2 days and asked for some more details about the impact and after that rewarded $$$ bounty.

Verdict

I think in the backend user’s request was first unmarshalled into an object and the same object was used to send a request to the management API to update user data. Earlier when I tried invalid JSON it failed since unmarshalling failed but sending empty JSON did the trick and management API returned 400 status which errored out.

About Me

I am Tarun, a security researcher and Go Developer from India. When I am not hunting for bugs, you will find me on GitHub adding features and fixing bugs on nuclei and other PD Tools.

Later on, I found a privilege escalation(kinda) vulnerability which was triaged as low severity at first but with the above knowledge about the backend, I exploited it to make it a critical Severity report. Will share it in the next writeup. Until then follow me on twitter, or medium to be notified.


文章来源: https://infosecwriteups.com/how-i-got-access-to-auth0-management-api-44d32fa6c477?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh