Sunday, 12 March 2023

Full Disclosure - Fastly Password Reset Flaw

 Application

  • Fastly web application

Information
  • Weak password requirements
  • No checks for password control

Exploit

Password Reset Flawed
1. Reset user password
2. Access link sent
3. Temporary password sent plaintext

// HTTP POST request
POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]
[...]
{"g-recaptcha-response":"03AFY_a8UY[...]"}
[...]

// HTTP response
HTTP/2 200 OK
Cache-Control: no-store
[...]


// HTTP GET request
GET /auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d... HTTP/2
Host: manage.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]

// HTTP response
HTTP/2 200 OK
Cache-Control: public, max-age=60, stale-if-error=1209600, stale-while-revalidate=600
[...]


Password Change Misconfig
1. Login to user account
2. Click Account -> Personal Profile
3. Select Change Password -> Current Password -> FastLy%2540!1M
4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P
5. Select Sign Out Option
6. Login with new password

// HTTP POST request
POST /oauth/password HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]
[...]
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%40gmail.com
[...]

// HTTP response
HTTP/2 401 Unauthorized
Status: 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json
[...]
[...]
{"msg":"Token 3kzBPKXbsbtZBl9..."}
[...]

// HTTP POST request
POST /oauth/access_token HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]
[...]
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%40gmail.com
[...]


// HTTP response
HTTP/2 200 OK
Status: 200 OK
[...]
[...]
{"id":"7IU53vPHZ...",
"name":"manage.fastly.com browser session",
"user_id":"3lWtx49FrV...",
"customer_id":"535znFHg...",
[...]
"token_type":"bearer",
"scope":"global",
"services":[],
"access_token":"qwdBQF43O..."}
[...]
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

Description - It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place. Stor...